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OFFICE  OF  THE  SECRETARY  OF  DEFENSE 
1 950  DEFENSE  PENTAGON 
WASHINGTON,  DC  20301-1950 

MAY  1  4  2007 

ADMINISTRATION  AND 
MANAGEMENT 

FOREWORD 

This  Regulation  is  reissued  under  the  authority  of  DoD  Directive  5400.1 1,  “DoD  Privacy 
Program,”  May  8,  2007  (Reference  (a)).  It  provides  guidance  on  section  552a  of  title  5  United 
States  Code  (U.S.C.),  the  Privacy  Act  of  1974,  as  amended,  (Reference  (b)),  and  prescribes  uniform 
procedures  for  implementation  of  the  DoD  Privacy  Program. 

DoD  5400.1 1-R,  “Department  of  Defense  Privacy  Program,”  August  13,  1983,  is  hereby  canceled. 

This  Regulation  applies  to  the  Office  of  the  Secretary  of  Defense,  the  Military  Departments,  the 
Chairman  of  the  Joint  Chiefs  of  Staff,  the  Combatant  Commands,  the  Inspector  General  of  the 
Department  of  Defense,  the  Defense  Agencies,  the  DoD  Field  Activities,  and  all  other 
organizational  entities  within  the  Department  of  Defense  (hereafter  referred  to  as  the  “DoD 
Components”). 

The  provisions  of  this  Regulation  shall  be  applicable  by  contract  or  other  legally  binding  action  to 
U.S.  Government  contractors  whenever  a  DoD  contract  requires  the  performance  of  any  activities 
associated  with  maintaining  a  system  of  records,  including  the  collection,  use,  and  dissemination  of 
records  on  behalf  of  the  contracting  DoD  Component.  When  maintaining  a  system  of  records  or  a 
portion  of  a  system  of  records,  contractors  and  their  employees  shall  be  considered  employees  of 
the  contracting  DoD  Component  for  purposes  of  the  criminal  penalties  of  the  Act. 

This  Regulation  does  not  apply  to: 

•  Requests  for  information  made  under  the  Freedom  of  Information  Act  (DoD  Directive 
5400.7)  (Reference  (c)).  They  are  processed  in  accordance  with  DoD  5400. 7-R  (Reference 
(d))- 

•  Requests  for  information  from  systems  of  records  controlled  by  the  Office  of  Personnel 
Management  (OPM),  although  maintained  by  a  DoD  Component.  These  are  processed  in 
accordance  with  policies  established  by  OPM  (Reference  (e)). 

•  Requests  for  personal  information  from  the  General  Accountability  Office.  These  are 
processed  in  accordance  with  DoD  Directive  7650.1  (Reference  (f)). 

•  Requests  for  personal  infonnation  from  Congress.  These  are  processed  in  accordance  with 
DoD  Directive  5400.4  (Reference  (g)),  except  for  the  specific  provisions  in  Chapter  4  of 
this  Regulation. 
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This  Regulation  is  effective  immediately  and  its  use  is  mandatory  for  all  DoD  Components.  The 
Heads  of  the  DoD  Components  may  issue  supplementary  instructions  only  when  necessary  to 
provide  for  unique  requirements  within  their  Components.  Such  instructions  may  not  conflict  with 
the  provisions  of  this  Regulation. 

Send  recommended  changes  to  this  Regulation  to  the  following  address: 


Director,  Defense  Privacy  Office 
1901  South  Bell  Street,  Room  920 
Arlington,  VA  22202-4512 


The  DoD  Components  may  obtain  copies  of  this  Regulation  through  their  own  publication 
channels.  Approved  for  public  release;  distribution  unlimited.  Copies  are  available  via  the  World 
Wide  Web  at  http://www.dtic.mil/whs/directives.  Authorized  registered  users  may  obtain  copies  of 
the  publication  from  the  Defense  Technical  Information  Center,  8725  John  J.  Kingman  Road,  Fort 
Belvoir,  VA  22060-6218.  Other  Federal  Agencies  and  the  public  may  obtain  copies  from  the  U.S 
Department  of  Commerce,  National  Technical  Information  Service,  5285  Port  Royal  Road, 
Springfield,  VA  22161. 


Michael  B.  Donley 
DoD  Senior  Privacy  Official 
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DL1.  DEFINITIONS 

DLL  1 .  Access.  For  the  purposes  of  this  Regulation,  the  review  of  a  record  or  a  copy  of  a  record, 
or  parts  thereof,  in  a  system  of  records  by  any  individual. 

DL1.2.  Agency.  For  the  purposes  of  disclosing  records  subject  to  the  Privacy  Act  (Reference  (b)) 
among  the  DoD  Components,  the  Department  of  Defense  is  a  considered  a  single  agency.  For  all 
other  purposes,  to  include  requests  for  access  and  amendment,  denial  of  access,  or  amendment, 
appeals  from  denials,  and  record  keeping,  as  relating  to  the  release  of  records  to  non-DoD 
Agencies,  each  DoD  Component  is  considered  an  agency  within  the  meaning  of  Reference  (b). 

DL1.3.  Computer  Matches.  The  computerized  comparison  of  two  or  more  automated  systems  of 
records  or  a  system  of  records  with  non-Federal  records.  Manual  comparison  of  systems  of  records 
or  a  system  of  records  with  non-Federal  records  are  not  covered. 

DL1.4.  Confidential  Source.  A  person  or  organization  who  has  furnished  information  to  the 
Federal  Government  under  an  express  promise,  if  made  on  or  after  September  27,  1975,  that  the 
person’s  or  the  organization’s  identity  shall  be  held  in  confidence  or  under  an  implied  promise  of 
such  confidentiality  if  this  implied  promise  was  made  on  or  before  September  26,  1975. 

DL1.5.  Disclosure.  The  transfer  of  any  personal  information  from  a  system  of  records  by  any 
means  of  communication  (such  as  oral,  written,  electronic,  mechanical,  or  actual  review)  to  any 
person,  private  entity,  or  Government  Agency,  other  than  the  subject  of  the  record,  the  subject’s 
designated  agent,  or  the  subject’s  legal  guardian. 

DL1.6.  Federal  Benefit  Program.  A  program  administered  or  funded  by  the  Federal  Government, 
or  by  any  agent  or  State  on  behalf  of  the  Federal  Government,  providing  cash  or  in-kind  assistance 
in  the  form  of  payments,  grants,  loans,  or  loan  guarantees  to  individuals. 

DL1.7.  Federal  Personnel.  Officers  and  employees  of  the  Government  of  the  United  States, 
members  of  the  uniformed  services  (including  members  of  the  Reserve  Components),  individuals 
entitled  to  receive  immediate  or  deferred  retirement  benefits  under  any  retirement  program  of  the 
United  States  (including  survivor  benefits). 

DLL  8.  Individual.  A  living  person  who  is  a  citizen  of  the  United  States  or  an  alien  lawfully 
admitted  for  pennanent  residence.  The  parent  of  a  minor  or  the  legal  guardian  of  any  individual 
may  also  act  on  behalf  of  an  individual.  Members  of  the  U.S.  Armed  Forces  are  “individuals.” 
Corporations,  partnerships,  sole  proprietorships,  professional  groups,  businesses,  whether 
incorporated  or  unincorporated,  and  other  commercial  entities  are  not  “individuals”  when  acting  in 
an  entrepreneurial  capacity  with  the  Department  of  Defense,  but  are  “individuals”  when  acting  in  a 
personal  capacity  (e.g.,  security  clearances,  entitlement  to  DoD  privileges  or  benefits,  etc.). 

DL1.9.  Individual  Access.  Access  to  information  pertaining  to  the  individual  by  the  individual  or 
his  or  her  designated  agent  or  legal  guardian. 
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DL1. 10.  Lost,  Stolen,  or  Compromised  Information.  Actual  or  possible  loss  of  control, 
unauthorized  disclosure,  or  unauthorized  access  of  personal  information  where  persons  other  than 
authorized  users  gain  access  or  potential  access  to  such  information  for  an  other  than  authorized 
purposes  where  one  or  more  individuals  will  be  adversely  affected.  Such  incidents  also  are  known 
as  breaches. 

DL1.1 1.  Maintain.  To  maintain,  collect,  use,  or  disseminate  records  contained  in  a  system  of 
records. 

DLL  12.  Non-Federal  Agency.  Any  state  or  local  government,  or  agency  thereof,  which  receives 
records  contained  in  a  system  of  records  from  a  source  agency  for  use  in  a  computer  matching 
program. 

DLL  13.  Official  Use.  Within  the  context  of  this  Regulation,  this  term  is  used  when  officials  and 
employees  of  a  DoD  Component  have  demonstrated  a  need  for  the  use  of  any  record  or  the 
information  contained  therein  in  the  perfonnance  of  their  official  duties,  subject  to  DoD  5200. 1-R 
(Reference  h)). 

DLL  14.  Personal  Information.  Information  about  an  individual  that  identifies,  links,  relates,  or  is 
unique  to,  or  describes  him  or  her,  e.g.,  a  social  security  number;  age;  military  rank;  civilian  grade; 
marital  status;  race;  salary;  home/office  phone  numbers;  other  demographic,  biometric,  personnel, 
medical,  and  financial  infonnation,  etc.  Such  infonnation  is  also  known  as  personally  identifiable 
infonnation  (i.e.,  information  which  can  be  used  to  distinguish  or  trace  an  individual’s  identity, 
such  as  their  name,  social  security  number,  date  and  place  of  birth,  mother’s  maiden  name, 
biometric  records,  including  any  other  personal  information  which  is  linked  or  linkable  to  a 
specified  individual). 

DL1.15.  Privacy  Act.  The  Privacy  Act  of  1974,  as  amended,  5  U.S.C.  552a  (Reference  (b)). 

DLL  16.  Privacy  Act  Request.  A  request  from  an  individual  for  notification  as  to  the  existence  of, 
access  to,  or  amendment  of  records  pertaining  to  that  individual.  These  records  must  be  maintained 
in  a  system  of  records. 

DLL  17.  Member  of  the  Public.  Any  individual  or  party  acting  in  a  private  capacity  to  include 
Federal  employees  or  military  personnel. 

DL1.18.  Recipient  (matching)  Agency.  Any  agency,  or  contractor  thereof,  receiving  records 
contained  in  a  system  of  records  from  a  source  agency  for  use  in  a  computer  matching  program. 

DLL  19.  Record.  Any  item,  collection,  or  grouping  of  information,  whatever  the  storage  media 
(paper,  electronic,  etc.),  about  an  individual  that  is  maintained  by  a  DoD  Component,  including,  but 
not  limited  to,  an  individual’s  education,  financial  transactions,  medical  history,  criminal  or 
employment  history,  and  that  contains  his  or  her  name,  or  the  identifying  number,  symbol,  or  other 
identifying  particular  assigned  to  the  individual,  such  as  a  finger  or  voice  print,  or  a  photograph. 

DL1.20.  Risk  Assessment.  An  analysis  considering  information  sensitivity,  vulnerabilities,  and 
cost  in  safeguarding  personal  information  processed  or  stored  in  the  facility  or  activity. 
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DL1 .2 1 .  Routine  Use.  The  disclosure  of  a  record  outside  the  Department  of  Defense  for  a  use  that 
is  compatible  with  the  purpose  for  which  the  infonnation  was  collected  and  maintained  by  the 
Department  of  Defense.  The  routine  use  must  be  included  in  the  published  system  notice  for  the 
system  of  records  involved. 

DL1.22.  Source  Agency.  Any  agency  which  discloses  records  contained  in  a  system  of  records  to 
be  used  in  a  computer-matching  program,  or  any  state  or  local  government  or  agency  thereof, 
which  discloses  records  to  be  used  in  a  computer-matching  program. 

DL1.23.  Statistical  Record.  A  record  maintained  only  for  statistical  research  or  reporting  purposes 
and  not  used  in  whole  or  in  part  in  making  detenninations  about  specific  individuals. 

DL1 .24.  System  of  Records.  A  group  of  records  under  the  control  of  a  DoD  Component  from 
which  personal  infonnation  about  an  individual  is  retrieved  by  the  name  of  the  individual,  or  by 
some  other  identifying  number,  symbol,  or  other  identifying  particular  assigned,  that  is  unique  to 
the  individual. 
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Cl.  CHAPTER  1 
SYSTEMS  OF  RECORDS 


Cl.l.  GENERAL 

C 1 . 1 . 1 .  System  of  Records.  To  be  subject  to  the  provisions  of  this  Regulation  a  “system  of 
records”  must: 

C 1 . 1 . 1 . 1 .  Consist  of  “records,”  (as  defined  in  paragraph  DL  1.19)  that  are  retrieved  by 
the  name  of  an  individual  or  some  other  personal  identifier;  and 

C 1 . 1 . 1 .2.  Be  under  the  control  of  a  DoD  Component. 

Cl. 1.2.  Retrieval  Practices 

C 1 . 1 .2. 1 .  Records  in  a  group  of  records  that  may  be  retrieved  by  a  name  or  personal 
identifier  are  not  covered  by  this  Regulation,  even  if  the  records  contain  personal  data  and  are 
under  control  of  a  DoD  Component.  The  records  must  be  retrieved  by  name  or  other  personal 
identifier  to  become  a  system  of  records  for  the  purpose  of  this  Regulation. 

C 1 . 1 .2. 1 . 1 .  When  records  are  contained  in  an  automated  Information  Technology  (IT) 
system  that  is  capable  of  being  manipulated  to  retrieve  information  about  an  individual,  this  does 
not  automatically  transform  the  system  into  a  system  of  records,  as  defined  in  this  Regulation. 

C 1 . 1 .2. 1 .2.  In  determining  whether  an  automated  system  is  a  system  of  records  that  is 
subject  to  this  Regulation,  retrieval  policies  and  practices  shall  be  evaluated.  If  DoD  Component 
policy  is  to  retrieve  personal  infonnation  by  name  or  other  unique  personal  identifier,  it  is  a  system 
of  records.  If  DoD  Component  policy  prohibits  retrieval  by  name  or  other  identifier,  but  the  actual 
practice  of  the  Component  is  to  retrieve  information  by  name  or  identifier,  even  if  done 
infrequently,  it  is  a  system  of  records. 

C 1 . 1 .2.2.  If  records  are  retrieved  by  name  or  personal  identifier,  a  system  notice  must  be 
submitted  in  accordance  with  paragraph  C6.4  of  Chapter  6. 

C 1 . 1 .2.3.  If  records  that  are  not  retrieved  by  name  or  personal  identifier  but  then  are 
rearranged  in  such  a  manner  that  they  are  retrieved  by  name  or  personal  identifier,  a  new  systems 
notice  must  be  submitted  in  accordance  with  paragraph  C6.4  of  Chapter  6. 

C 1 . 1 .2.4.  If  records  in  a  system  of  records  are  rearranged  so  that  retrieval  is  no  longer 
by  name  or  other  personal  identifier,  the  records  are  no  longer  subject  to  this  Regulation,  and  the 
system  notice  for  the  records  shall  be  deleted  in  accordance  with  paragraph  C6.5  of 
Chapter  6. 
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C 1 . 1 .3.  Relevance  and  Necessity.  Information  or  records  about  an  individual  shall  only  be 
maintained  in  a  system  of  records  that  is  relevant  and  necessary  to  accomplish  a  DoD  Component 
purpose  required  by  a  Federal  statute  or  an  Executive  Order. 

C 1 . 1 .4.  Authority  to  Establish  Systems  of  Records.  Identify  the  specific  statute  or  the 
Executive  Order  that  authorizes  maintaining  personal  information  in  each  system  of  records.  The 
existence  of  a  statute  or  Executive  Order  mandating  the  maintenance  of  a  system  of  records  does 
not  abrogate  the  responsibility  to  ensure  that  the  information  in  the  system  of  records  is  relevant 
and  necessary. 

If  a  statute  or  Executive  Order  does  not  expressly  direct  the  creation  of  a  system  of  records,  but  the 
establishment  of  a  system  of  records  is  necessary  in  order  to  discharge  the  requirements  of  the 
statute  or  Executive  Order,  the  statute  or  Executive  Order  shall  be  cited  as  the  authority. 

Cl. 1.5.  Exercise  of  First  Amendment  Rights 

C 1 . 1 .5. 1 .  Do  not  maintain  any  records  describing  how  an  individual  exercises  his  or  her 
rights  guaranteed  by  the  First  Amendment  of  the  U.S.  Constitution,  except  when: 

C 1 . 1 .5. 1 . 1 .  Expressly  authorized  by  Federal  statute; 

C 1 . 1 .5. 1 .2.  Expressly  authorized  by  the  individual;  or 

C 1 . 1 .5. 1 .3.  Maintenance  of  the  infonnation  is  pertinent  to  and  within  the  scope  of  an 
authorized  law  enforcement  activity. 

C 1 . 1 .5.2.  First  Amendment  rights  include,  but  are  not  limited  to,  freedom  of  religion, 
freedom  of  political  beliefs,  freedom  of  speech,  freedom  of  the  press,  the  right  to  assemble,  and  the 
right  to  petition. 

Cl. 1.6.  System  Manager’s  Evaluation 

C 1 . 1 .6. 1 .  Evaluate  the  information  to  be  included  in  each  new  system  before  establishing 
the  System,  and  evaluate  periodically  the  infonnation  contained  in  each  existing  system  of  records 
for  relevancy  and  necessity.  Such  a  review  shall  also  occur  when  a  system  notice  alteration  or 
amendment  is  prepared.  See  sections  C6.4  and  C6.5  of  Chapter  6. 

C 1 . 1 .6.2.  Consider  the  following: 

C 1 . 1 .6.2. 1 .  The  relationship  of  each  item  of  information  retained  and  collected  to  the 
purpose  for  which  the  system  is  maintained; 

C 1 . 1 .6.2.2.  The  specific  impact  on  the  purpose  or  mission  of  not  collecting  each 
category  of  information  contained  in  the  system; 

C 1 . 1 .6.2.3.  The  possibility  of  meeting  the  informational  requirements  through  use  of 
information  not  individually  identifiable  or  through  other  techniques,  such  as  sampling; 
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C 1 . 1 .6.2.4.  The  length  of  time  each  item  of  personal  infonnation  must  be  retained; 

C 1 . 1 .6.2.5.  The  cost  of  maintaining  the  information;  and 

C 1 . 1 .6.2.6.  The  necessity  and  relevancy  of  the  information  to  the  purpose  for  which  it 
was  collected. 

Cl. 1.7.  Discontinued  Information  Requirements 

C 1 . 1 .7. 1 .  Stop  collecting  immediately  any  category  or  item  of  personal  information  for 
which  retention  is  no  longer  justified.  Also  delete  this  information  from  existing  records,  when 
feasible. 

C 1 . 1 .7.2.  Do  not  destroy  any  records  that  must  be  retained  in  accordance  with  disposal 
authorizations  established  under  Section  3303a  of  44  U.S.C.  (Reference  (i)). 


C1.2.  STANDARDS  OF  ACCURACY 

C 1 .2. 1 .  Accuracy  of  Information  Maintained.  Maintain  all  personal  information  that  is  used  or 
may  be  used  to  make  any  detennination  about  an  individual  with  such  accuracy,  relevance, 
timeliness,  and  completeness  as  is  reasonably  necessary  to  ensure  fairness  to  the  individual  in 
making  any  such  determination. 

Cl. 2. 2.  Accuracy  Detenninations  before  Dissemination.  Before  disseminating  any  personal 
information  from  a  system  of  records  to  any  person  outside  the  Department  of  Defense,  other  than  a 
Federal  Agency,  make  reasonable  efforts  to  ensure  that  the  information  to  be  disclosed  is  accurate, 
relevant,  timely,  and  complete  for  the  purpose  it  is  being  maintained.  See  also  paragraph  C4.1.4  of 
Chapter  4. 


Cl. 3.  GOVERNMENT  CONTRACTORS 

Cl. 3.1.  Applicability  to  Government  Contractors 

C 1 .3. 1 . 1 .  When  a  DoD  Component  contract  requires  the  operation  or  maintenance  of  a 
system  of  records  or  a  portion  of  a  system  of  records  or  requires  the  performance  of  any  activities 
associated  with  maintaining  a  system  of  records,  including  the  collection,  use,  and  dissemination  of 
records,  the  record  system  or  the  portion  of  the  record  system  affected  are  considered  to  be 
maintained  by  the  DoD  Component  and  are  subject  to  this  Regulation.  The  Component  is 
responsible  for  applying  the  requirements  of  this  Regulation  to  the  contractor.  The  contractor  and 
its  employees  are  to  be  considered  employees  of  the  DoD  Component  for  the  purposes  of  the 
criminal  provisions  of  Reference  (b)  during  the  perfonnance  of  the  contract.  Consistent  with 
subpart  24. 1  of  the  Federal  Acquisition  Regulation  (Reference  (j)),  contracts  requiring  the 
maintenance  or  operation  of  a  system  of  records  or  the  portion  of  a  system  of  records  shall  include 
in  the  solicitation  and  resulting  contract  such  terms  as  are  prescribed  by  Reference  (j). 
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C 1 .3. 1 .2.  If  the  contractor  must  use,  have  access  to,  or  disseminate  individually  identifiable 
infonnation  subject  to  this  Regulation  in  order  to  perform  any  part  of  a  contract,  and  the 
information  would  have  been  collected,  maintained,  used,  or  disseminated  by  the  DoD  Component 
but  for  the  award  of  the  contract,  these  contractor  activities  are  subject  to  this  Regulation. 

C 1 .3 . 1 .3 .  The  restriction  in  subparagraphs  C 1 .3 . 1 . 1  and  C 1 .3 . 1 .2  of  this  Chapter  do  not 
apply  to  records: 

C 1 .3. 1 .3. 1 .  Established  and  maintained  to  assist  in  making  internal  contractor 
management  decisions,  such  as  records  maintained  by  the  contractor  for  use  in  managing  the 
contract; 


C 1 .3. 1 .3.2.  Maintained  as  internal  contractor  employee  records  even  when  used  in 
conjunction  with  providing  goods  and  services  to  the  Department  of  Defense; 

C 1 .3. 1 .3.3.  Maintained  as  training  records  by  an  educational  organization  contracted  by 
a  DoD  Component  to  provide  training  when  the  records  of  the  contract  students  are  similar  to  and 
commingled  with  training  records  of  other  students  (for  example,  admission  forms,  transcripts, 
academic  counseling  and  similar  records); 

C 1 .3. 1 .3.4.  Maintained  by  a  consumer  reporting  agency  to  which  records  have  been 
disclosed  under  contract  in  accordance  with  section  371 1(e)  of  31  U.S.C.,  the  Federal  Claims 
Collection  Act  of  1966,  (Reference  (k));  or 

C 1 .3. 1 .3.5.  Maintained  by  the  contractor  incident  to  nonnal  business  practices  and 

operations. 

C 1 .3. 1 .4.  The  DoD  Components  shall  publish  instructions  that: 

C 1 .3. 1 .4. 1 .  Furnish  DoD  Privacy  Program  guidance  to  their  personnel  who  solicit, 
award,  or  administer  Government  contracts; 

C 1 .3. 1 .4.2.  Inform  prospective  contractors  of  their  responsibilities,  and  provide 
training,  as  appropriate,  regarding  the  DoD  Privacy  Program;  and 

C 1 .3. 1 .4.3.  Establish  an  internal  system  of  contractor  performance  review  to  ensure 
compliance  with  the  DoD  Privacy  Program. 

Cl. 3. 2.  Contracting  Procedures.  The  Defense  Acquisition  Regulations  Council  is  responsible 
for  developing  the  specific  policies  and  procedures  to  be  followed  when  soliciting  bids,  awarding 
contracts  or  administering  contracts  that  are  subject  to  this  Regulation. 

Cl. 3. 3.  Contractor  Compliance.  Through  the  various  contract  surveillance  programs,  ensure 
contractors  comply  with  the  procedures  established  in  accordance  with  paragraph  Cl. 3. 2  of  this 
Chapter. 


14 


CHAPTER  1 


DoD  5400.1 1-R,  May  14,  2007 


Cl. 3. 4.  Disclosure  of  Records  to  Contractors.  Disclosure  of  records  contained  in  a  system  of 
records  by  a  DoD  Component  to  a  contractor  for  use  in  the  performance  of  a  DoD  contract  is 
considered  a  disclosure  within  the  Department  of  Defense.  See  paragraph  C4. 1 .2  of  Chapter  4. 
The  contractor  is  considered  the  agent  of  the  contracting  DoD  Component  and  to  be  maintaining 
and  receiving  the  records  for  that  Component. 


Cl. 4.  SAFEGUARDING  PERSONAL  INFORMATION 

Cl. 4.1.  General  Responsibilities.  DoD  Components  shall  establish  appropriate  administrative, 
technical  and  physical  safeguards  to  ensure  that  the  records  in  each  system  of  records  are  protected 
from  unauthorized  access,  alteration,  or  disclosure  and  that  their  confidentiality  is  preserved  and 
protected.  Records  shall  be  protected  against  reasonably  anticipated  threats  or  hazards  that  could 
result  in  substantial  harm,  embarrassment,  inconvenience,  or  unfairness  to  any  individual  about 
whom  information  is  kept. 

Cl.4.2.  Minimum  Standards 

C 1 .4.2.1 .  Tailor  system  safeguards  to  conform  to  the  type  of  records  in  the  system,  the 
sensitivity  of  the  personal  information  stored,  the  storage  medium  used  and,  to  a  degree,  the 
number  of  records  maintained. 

C 1 .4.2.2.  Treat  all  unclassified  records  that  contain  personal  information  that  normally 
would  be  withheld  from  the  public  under  Freedom  of  Information  Exemption  Numbers  6  and  7, 
chapter  3  of  Reference  (d)  as  “For  Official  Use  Only  (FOUO),”  and  safeguard  them  accordingly,  in 
accordance  with  DoD  5200. 1-R  (Reference  (h)),  even  if  they  are  not  actually  marked  “FOUO.” 

C 1 .4.2.3.  Personal  information  that  does  not  meet  the  criteria  discussed  in  paragraph 
Cl. 4. 2.2  of  this  Chapter  shall  be  accorded  protection  commensurate  with  the  nature  and  type  of 
information  involved. 

C 1 .4.2.4.  Special  administrative,  physical,  and  technical  procedures  are  required  to  protect 
data  that  is  stored  or  processed  in  an  IT  system  to  protect  against  threats  unique  to  an  automated 
environment.  See  Appendix  1 . 

Cl. 4. 2. 5.  Tailor  safeguards  specifically  to  the  vulnerabilities  of  the  system. 

Cl.4.3.  Records  Disposal 

Cl. 4. 3.1.  Dispose  of  records  containing  personal  data  so  as  to  prevent  inadvertent 
compromise.  Disposal  methods  are  those  approved  by  the  Component  or  the  National  Institute  of 
Standards  and  Technology.  For  paper  records,  disposal  methods,  such  as  tearing,  burning,  melting, 
chemical  decomposition,  pulping,  pulverizing,  shredding,  or  mutilation  are  acceptable.  For 
electronic  records  and  media,  disposal  methods,  such  as  overwriting,  degaussing,  disintegration, 
pulverization,  burning,  melting,  incineration,  shredding  or  sanding  are  acceptable. 
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C 1 .4.3.2.  Disposal  methods  are  considered  adequate  if  the  personal  data  is  rendered 
unrecognizable  or  beyond  reconstruction. 


Cl. 5.  NOTIFICATION  WHEN  INFORMATION  IS  LOST,  STOLEN,  OR  COMPROMISED 

C 1 .5. 1 .  If  records  containing  personal  information  are  lost,  stolen,  or  compromised  (see 
paragraph  DL1. 1.10),  the  potential  exists  that  the  records  may  be  used  for  unlawful  purposes,  such 
as  identity  theft,  fraud,  stalking,  etc.  The  personal  impact  on  the  affected  individual  may  be  severe 
if  the  records  are  misused.  To  assist  the  individual,  the  Component  shall  promptly  notify  the 
individual  of  any  loss,  theft,  or  compromise.  See  also,  paragraph  10.6.1  of  Chapter  10  for  reporting 
of  the  breach  to  the  Senior  Component  Official  for  Privacy  and  the  Defense  Privacy  Office. 

C 1 .5. 1 . 1 .  The  notification  shall  be  made  whenever  a  breach  occurs  that  involves  personal 
information  pertaining  to  a  service  member,  civilian  employee  (appropriated  or  non-appropriated 
fund),  military  retiree,  family  member,  DoD  contractor,  other  persons  that  are  affiliated  with  the 
Component  (e.g.,  volunteers),  and/or  any  other  member  of  the  public  on  whom  information  is 
maintained  by  the  Component  or  by  a  contractor  on  behalf  of  the  Component. 

C 1 .5. 1 .2.  The  notification  shall  be  made  as  soon  as  possible,  but  not  later  than  10  working 
days  after  the  loss,  theft,  or  compromise  is  discovered  and  the  identities  of  the  individuals 
ascertained. 

C 1 .5. 1 .2. 1 .  The  10-day  period  begins  after  the  Component  is  able  to  determine  the 
identities  of  the  individuals  whose  records  were  lost. 

C 1 .5. 1 .2.2.  If  the  Component  is  only  able  to  identify  some  but  not  all  of  the  affected 
individuals,  notification  shall  be  given  to  those  that  can  be  identified  with  follow-up  notifications 
made  to  those  subsequently  identified. 

C 1 .5. 1 .2.3.  If  the  Component  cannot  readily  identify  the  affected  individuals  or  will  not 
be  able  to  identify  the  individuals,  the  Component  shall  provide  a  generalized  notice  to  the 
potentially  impacted  population  by  whatever  means  the  Component  believes  is  most  likely  to  reach 
the  affected  individuals. 

C 1 .5. 1 .3.  When  personal  infonnation  is  maintained  by  a  DoD  contractor  on  behalf  of  the 
Component,  the  contractor  shall  notify  the  Component  immediately  upon  discovery  that  a  loss, 
theft,  or  compromise  has  occurred. 

C 1 .5. 1 .3. 1 .  The  Component  shall  determine  whether  the  Component  or  the  contractor 
shall  make  the  required  notification. 
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C 1 .5. 1 .3.2.  If  the  contractor  is  to  notify  the  impacted  population,  it  shall  submit  the 
notification  letters  to  the  Component  for  review  and  approval.  The  Component  shall  coordinate 
with  the  contractor  to  ensure  that  the  letters  meet  the  requirements  of  subparagraph  Cl.  5. 

C 1 .5. 1 .4.  Subject  to  subparagraph  C 1 .5. 1 .2,  the  Component  shall  inform  the  Deputy 
Secretary  of  Defense  of  the  reasons  why  notice  was  not  provided  to  the  individuals  or  the  affected 
population  within  the  10-day  period. 

C 1 .5. 1 .4. 1 .  If  for  good  cause  (e.g.,  law  enforcement  authorities  request  delayed 
notification  as  immediate  notification  will  jeopardize  investigative  efforts),  notice  can  be  delayed, 
but  the  delay  shall  only  be  for  a  reasonable  period  of  time.  In  determining  what  constitutes  a 
reasonable  period  of  delay,  the  potential  harm  to  the  individual  must  be  weighed  against  the 
necessity  for  delayed  notification. 

C 1 .5. 1 .4.2.  The  required  notification  shall  be  prepared  and  forwarded  to  the  Senior 
Component  Official  for  Privacy  (Reference  (a))  who  shall  forward  it  to  the  Defense  Privacy  Office. 
The  Defense  Privacy  Office,  in  coordination  with  the  Office  of  the  Under  Secretary  of  Defense  for 
Personnel  and  Readiness,  shall  forward  the  notice  to  the  Deputy  Secretary. 

C 1 .5. 1 .5.  The  notice  to  the  individual,  at  a  minimum,  shall  include  the  following: 

C 1 .5. 1 .5. 1 .  The  individuals  shall  be  advised  of  what  specific  data  was  involved.  It  is 
insufficient  to  simply  state  that  personal  infonnation  has  been  lost.  Where  names,  Social  Security 
Numbers  (SSNs),  and  dates  of  birth  are  involved,  it  is  critical  that  the  individual  be  advised  that 
these  data  elements  potentially  have  been  compromised. 

Cl. 5. 1.5. 2.  The  individual  shall  be  informed  of  the  facts  and  circumstances  surrounding 
the  loss,  theft,  or  compromise.  The  description  of  the  loss  should  be  sufficiently  detailed  so  that  the 
individual  clearly  understands  how  the  compromise  occurred. 

C 1 .5. 1 .5.3.  The  individual  shall  be  informed  of  what  protective  actions  the  Component 
is  taking  or  the  individual  can  take  to  mitigate  against  potential  future  hann.  The  Component 
should  refer  the  individual  to  the  Federal  Trade  Commission’s  public  web  site  on  identity  theft  at 
http://www.consumer.gov/idtheft/con_steps.htm.  The  site  provides  valuable  information  as  to  what 
steps  individuals  can  take  to  protect  themselves  if  their  identities  potentially  have  been  or  are 
stolen. 


C 1 .5. 1 .5.4.  A  sample  notification  letter  is  at  Appendix  2. 

Cl. 5. 2.  The  notification  shall  be  made  whether  or  not  the  personal  information  is  contained  in 
a  system  of  records.  See  subparagraph  C 1 . 1 . 1  of  this  Chapter. 
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C2.  CHAPTER  2 

COLLECTING  PERSONAL  INFORMATION 
C2.1.  GENERAL  CONSIDERATIONS 

C2. 1 . 1 .  Collect  Directly  from  the  Individual.  Collect  to  the  greatest  extent  practicable  personal 
infonnation  directly  from  the  individual  to  whom  it  pertains,  if  the  infonnation  may  result  in 
adverse  detenninations  about  an  individual’s  rights,  privileges,  or  benefits  under  any  Federal 
program. 

C2.1.2.  Collecting  SSNs 

C2. 1.2.1.  It  is  unlawful  for  any  Federal,  State,  or  local  governmental  agency  to  deny  an 
individual  any  right,  benefit,  or  privilege  provided  by  law  because  the  individual  refuses  to  provide 
his  or  her  SSN.  However,  if  a  Federal  statute  requires  that  the  SSN  be  furnished,  or  if  the  SSN  is 
furnished  to  a  DoD  Component  maintaining  a  system  of  records  in  existence  that  was  established 
and  in  operation  before  January  1,  1975,  and  the  SSN  was  required  under  a  statute  or  regulation 
adopted  prior  to  this  date  for  purposes  of  verifying  the  identity  of  an  individual,  this  restriction  does 
not  apply. 

C2. 1 .2.2.  When  an  individual  is  requested  to  provide  his  or  her  SSN,  he  or  she  must  be 

told: 


C2. 1 .2.2. 1 .  What  uses  will  be  made  of  the  SSN; 

C2. 1.2.2. 2.  The  statute,  regulation,  or  rule  authorizing  the  solicitation  of  the  SSN;  and 
C2. 1.2.2. 3.  Whether  providing  the  SSN  is  voluntary  or  mandatory. 

C2.1.2.3.  Include  in  any  systems  notice  for  any  system  of  records  that  contains  SSNs  a 
statement  indicating  the  authority  for  maintaining  the  SSN. 

C2. 1.2.4.  Executive  Order  9397  (Reference  (1))  authorizes  solicitation  and  use  of  SSNs  as  a 
numerical  identifier  for  Federal  personnel  that  are  identified  in  most  Federal  record  systems. 
However,  it  does  not  constitute  authority  for  mandatory  disclosure  of  the  SSN. 

C2.1.2.5.  Upon  entrance  into  military  service  or  civilian  employment  with  the  Department 
of  Defense,  individuals  are  asked  to  provide  their  SSNs.  The  SSN  becomes  the  service  or 
employment  number  for  the  individual  and  is  used  to  establish  personnel,  financial,  medical,  and 
other  official  records.  The  notification  in  subparagraph  C2. 1 .2.2  of  this  Chapter  shall  be  provided 
to  the  individual  when  originally  soliciting  his  or  her  SSN.  The  notification  is  not  required  if  an 
individual  is  requested  to  furnish  his  SSN  for  identification  purposes  and  the  SSN  is  solely  used  to 
verify  the  SSN  that  is  contained  in  the  records.  However,  if  the  SSN  is  solicited  and  retained  for 
any  purposes  other  than  verifying  the  existing  SSN  in  the  records,  the  requesting  official  shall 
provide  the  individual  the  notification  required  by  subparagraph  C2. 1.2.2  of  this  Chapter. 
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C2.1.2.6.  Components  shall  ensure  that  the  SSN  is  only  collected  when  there  is 
demonstrated  need  for  collection.  If  collection  is  not  essential  for  the  purposes  for  which  the  record 
or  records  are  being  maintained,  it  should  not  be  solicited. 

C2.1.2.7.  DoD  Components  shall  continually  review  their  use  of  the  SSN  to  determine 
whether  such  use  can  be  eliminated,  restricted,  or  concealed  in  Component  business  processes, 
systems  and  paper  and  electronic  forms.  While  use  of  the  SSN  may  be  essential  for  program 
integrity  and  national  security  when  information  about  an  individual  is  disclosed  outside  the  DoD, 
it  may  not  be  as  critical  when  the  information  is  being  used  for  internal  Departmental  purposes. 

C2.1.3.  Collecting  Personal  Information  from  Third  Parties.  When  information  being  solicited 
is  of  an  objective  nature  and  is  not  subject  to  being  altered,  the  information  should  first  be  collected 
from  the  individual.  But,  it  may  not  be  practicable  to  collect  personal  information  first  from  the 
individual  in  all  cases.  Some  examples  of  this  are: 

C2. 1.3.1.  Verification  of  information  through  third-party  sources  for  security  or 
employment  suitability  determinations; 

C2. 1 .3.2.  Seeking  third-party  opinions  such  as  supervisor  comments  as  to  job  knowledge, 
duty  performance,  or  other  opinion-type  evaluations;  and 

C2. 1 .3.3.  When  obtaining  information  first  from  the  individual  may  impede  rather  than 
advance  an  investigative  inquiry  into  the  actions  of  the  individual. 

C2. 1 .3.4.  Contacting  a  third  party  at  the  request  of  the  individual  to  furnish  certain 
information,  such  as  exact  periods  of  employment,  termination  dates,  copies  of  records,  or  similar 
information. 

C2.1.4.  Privacy  Act  Statements 

C2. 1 .4. 1 .  When  an  individual  is  requested  to  furnish  personal  infonnation  about  himself  or 
herself  for  inclusion  in  a  system  of  records,  a  Privacy  Act  statement  is  required  regardless  of  the 
medium  used  to  collect  the  information  (paper  or  electronic  fonns,  personal  interviews,  telephonic 
interviews,  or  other  methods).  The  Privacy  Act  statement  consists  of  the  elements  set  forth  in 
subparagraph  C2. 1 .4.2  of  this  Chapter.  The  statement  enables  the  individual  to  make  an  informed 
decision  whether  to  provide  the  information  requested.  If  the  personal  infonnation  solicited  is  not 
to  be  incorporated  into  a  system  of  records,  the  statement  need  not  be  given.  However,  personal 
information  obtained  without  a  Privacy  Act  Statement  shall  not  be  incorporated  into  any  system  of 
records.  When  soliciting  SSNs  for  any  purpose,  see  subparagraph  C2. 1.2.2  of  this  Chapter. 

C2. 1 .4.2.  The  Privacy  Act  statement  shall  include: 

C2. 1 .4.2. 1 .  The  Federal  statute  or  Executive  Order  that  authorizes  collection  of  the 
requested  information.  See  paragraph  C 1 . 1 .4  of  Chapter  1 . 
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C2. 1 .4.2.2.  The  principal  purpose  or  purposes  for  which  the  information  is  to  be  used; 

C2. 1 .4.2.3.  The  routine  uses  that  will  be  made  of  the  infonnation.  See  paragraph 
C4.2.3  of  Chapter  4; 

C2. 1.4.2. 4.  Whether  providing  the  information  is  voluntary  or  mandatory.  See 
paragraph  C2.1.5.  of  this  Chapter;  and 

C2. 1.4.2. 5.  The  effects  on  the  individual  if  he  or  she  chooses  not  to  provide  the 
requested  information. 

C2.1.4.3.  The  Privacy  Act  statement  shall  be  concise,  current,  and  easily  understood. 

C2. 1 .4.4.  The  Privacy  Act  statement  may  appear  as  a  public  notice  (sign  or  poster), 
conspicuously  displayed  in  the  area  where  the  information  is  collected,  such  as  at  check-cashing 
facilities  or  identification  photograph  facilities.  See  paragraph  C2.2. 1  of  this  Chapter. 

C2. 1 .4.5.  The  individual  normally  is  not  required  to  sign  the  Privacy  Act  statement. 

C2. 1 .4.6.  The  individual  shall  be  provided  a  written  copy  of  the  Privacy  Act  statement 
upon  request.  This  must  be  done  regardless  of  the  method  chosen  to  furnish  the  initial  advisement. 

C2. 1 .5.  Mandatory  as  Opposed  to  Voluntary  Disclosures.  Include  in  the  Privacy  Act  statement 
specifically  whether  furnishing  the  requested  personal  data  is  mandatory  or  voluntary.  A 
requirement  to  furnish  personal  data  is  mandatory  only  when  the  DoD  Component  is  authorized  to 
impose  a  penalty  on  the  individual  for  failure  to  provide  the  requested  infonnation.  If  a  penalty 
cannot  be  imposed,  disclosing  the  information  is  always  voluntary. 


C2.2.  FORMS 

C2.2.1.  DoD  Forms 

C2.2. 1.1.  DoD  Instruction  7750.7  (Reference  (m))  provides  guidance  for  preparing  Privacy 
Act  statements  for  use  with  fonns  (see  also  paragraph  C2.2.1.2  of  this  Chapter). 

C2.2. 1 .2.  When  forms  are  used  to  collect  personal  information,  the  Privacy  Act  statement 
shall  appear  as  follows  (listed  in  the  order  of  preference): 

C2.2. 1.2.1.  In  the  body  of  the  form,  preferably  just  below  the  title  so  that  the  reader  will 
be  advised  of  the  contents  of  the  statement  before  he  or  she  begins  to  complete  the  fonn. 

C2.2. 1.2.2.  On  the  reverse  side  of  the  form  with  an  appropriate  annotation  under  the 
title  giving  its  location; 

C2.2. 1 .2.3.  On  a  tear-off  sheet  attached  to  the  form;  or 
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C2.2. 1.2.4.  As  a  separate  supplement  to  the  form. 

C2.2.2.  Forms  Issued  by  Non-DoD  Activities 

C2.2.2. 1 .  Forms  subject  to  Reference  (b)  issued  by  other  Federal  Agencies  must  have  a 
Privacy  Act  statement.  Always  ensure  that  the  statement  prepared  by  the  originating  Agency  is 
adequate  for  the  purpose  for  which  the  form  shall  be  used  by  the  DoD  activity.  If  the  Privacy  Act 
statement  provided  is  inadequate,  the  DoD  Component  concerned  shall  prepare  a  new  statement  or 
a  supplement  to  the  existing  statement  before  using  the  fonn. 

C2.2.2.2.  Forms  issued  by  agencies  not  subject  to  Reference  (b)  (State,  municipal,  and 
other  local  agencies)  do  not  contain  Privacy  Act  statements.  Before  using  a  form  prepared  by  such 
agencies  to  collect  personal  data  subject  to  this  Regulation,  an  appropriate  Privacy  Act  statement 
must  be  added. 
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C3.  CHAPTER  3 
ACCESS  BY  INDIVIDUALS 

C3.1.  INDIVIDUAL  ACCESS  TO  PERSONAL  INFORMATION 

C3.1.1.  Individual  Access 

C3.1. 1.1.  The  access  provisions  of  this  Regulation  are  intended  for  use  by  individuals 
who  seek  access  to  records  about  themselves  that  are  maintained  in  a  system  of  records.  Release  of 
personal  information  to  individuals  under  this  Regulation  is  not  considered  public  release  of  the 
information. 

C3.1. 1.2.  Make  available  to  the  individual  to  whom  the  record  pertains  all  of  the 
personal  information  contained  in  the  system  of  records  except  where  access  may  be  denied 
pursuant  to  an  exemption  claimed  for  the  system.  See  Chapter  5  of  this  Regulation.  However, 
when  the  access  provisions  of  this  chapter  are  not  available  to  the  individual  due  to  a  claimed 
exemption,  the  request  shall  be  processed  to  provide  information  that  is  disclosable  pursuant  to 
Reference  (d). 

C3.1.2.  Individual  Requests  for  Access.  Individuals  shall  address  requests  for  access  to 
personal  information  in  a  system  of  records  to  the  system  manager  or  to  the  office  designated  in  the 
DoD  Component  procedural  rules  or  the  system  notice. 

C3.1.3.  Verification  of  Identity 

C3. 1.3.1.  Before  granting  access  to  personal  data,  an  individual  may  be  required  to  provide 
reasonable  proof  his  or  her  identity. 

C3. 1 .3.2.  Identity  verification  procedures  shall  not: 

C3.1. 3.2.1.  Be  so  complicated  as  to  unnecessarily  discourage  individuals  from  seeking 
access  to  information  about  themselves;  or 

C3. 1.3.2. 2.  Be  required  of  an  individual  seeking  access  to  records  that  normally  would 
be  available  under  Reference  (d). 

C3.1.3.3.  When  an  individual  seeks  personal  access  to  records  pertaining  to  themselves  in 
person,  proof  of  identity  is  normally  provided  by  documents  that  an  individual  ordinarily  possesses, 
such  as  employee  and  military  identification  cards,  driver’s  license,  other  licenses,  permits,  or 
passes  used  for  routine  identification  purposes. 

C3. 1.3.4.  When  access  is  requested  by  mail,  identity  verification  may  consist  of  the 
individual  providing  certain  minimum  identifying  data,  such  as  full  name,  date  and  place  of  birth, 
or  such  other  personal  information  necessary  to  locate  the  record  sought  and  infonnation  that  is 
ordinarily  only  known  to  the  individual.  If  the  information  sought  is  of  a  sensitive  nature, 
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additional  identifying  data  may  be  required.  An  unsworn  declaration  under  penalty  of  perjury  in 
accordance  with  section  1746  of  28  U.S.C.  (Reference  (n))  or  notarized  signatures  are  acceptable  as 
a  means  of  proving  the  identity  of  the  individual. 

C3. 1 .3.4. 1 .  If  an  unsworn  declaration  is  executed  within  the  United  States,  its 
territories,  possessions,  or  commonwealths,  it  shall  read  “I  declare  (or  certify,  verify,  or  state)  under 
penalty  of  perjury  that  the  foregoing  is  true  and  correct.  Executed  on  (date).  (Signature).” 

C3. 1.3.4. 2.  If  an  unsworn  declaration  is  executed  outside  the  United  States,  it  shall  read 
“I  declare  (or  certify,  verify,  or  state)  under  penalty  of  perjury  under  the  laws  of  the  United  States 
of  America  that  the  foregoing  is  true  and  correct.  Executed  on  (date).  (Signature).” 

C3.1.3.5.  If  an  individual  wishes  to  be  accompanied  by  a  third  party  when  seeking  access  to 
his  or  her  records  or  to  have  the  records  released  directly  to  a  third  party,  the  individual  may  be 
required  to  furnish  a  signed  access  authorization  granting  the  third-party  access. 

C3. 1 .3.6.  An  individual  shall  not  be  refused  access  to  his  or  her  record  solely  because  he  or 
she  refuses  to  provide  his  or  her  SSN,  unless  the  SSN  is  the  only  method  by  which  retrieval  can  be 
made.  See  paragraph  C2. 1 .2  of  Chapter  2. 

C3. 1 .3.7.  The  individual  is  not  required  to  explain  or  justify  his  or  her  need  for  access  to 
any  record  under  this  Regulation. 

C3.1.3.8.  Only  a  denial  authority  may  deny  access,  and  the  denial  must  be  in  writing  and 
contain  the  information  required  by  paragraph  C3.2.2  of  this  Chapter. 

C3.1.4.  Granting  Individual  Access  to  Records 

C3. 1 .4. 1 .  Grant  the  individual  access  to  the  original  record  or  an  exact  copy  of  the  original 
record  without  any  changes  or  deletions,  except  when  deletions  have  been  made  in  accordance  with 
paragraph  C3. 1 .5  of  this  Chapter.  For  the  purpose  of  granting  access,  a  record  that  has  been 
amended  under  paragraph  C3.3.2  of  this  Chapter  is  considered  to  be  the  original.  See  paragraph 
C3.1.5  of  this  Chapter  for  the  policy  regarding  the  use  of  summaries  and  extracts. 

C3. 1.4.2.  Provide  exact  copies  of  the  records  when  furnishing  the  individual  copies  of 
records  under  this  Regulation. 

C3. 1 .4.3.  Explain  in  terms  understood  by  the  requestor  any  record  or  portion  of  a  record 
that  is  not  clear. 

C3.1.5.  Illegible,  Incomplete,  or  Partially  Exempt  Records 

C3. 1.5.1.  Do  not  deny  an  individual  access  to  a  record  or  a  copy  of  a  record  solely  because 
the  physical  condition  or  format  of  the  record  does  not  make  it  readily  available  (deteriorated  state 
or  on  magnetic  tape).  Either  prepare  an  extract,  or  recopy  the  document  exactly. 
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C3.1.5.2.  If  a  portion  of  the  record  contains  information  that  is  exempt  from  access,  an 
extract  or  summary  containing  all  of  the  information  in  the  record  that  is  releasable  shall  be 
prepared. 

C3.1.5.3.  When  the  physical  condition  of  the  record  or  its  state  makes  it  necessary  to 
prepare  an  extract  for  release,  ensure  that  the  extract  can  be  understood  by  the  requester. 

C3. 1.5.4.  Explain  to  the  requester  all  deletions  or  changes  to  the  records. 

C3.1.6.  Access  to  Medical  Records 

C3 .1.6.1.  Access  to  medical  records  is  not  only  governed  by  the  access  provisions  of  this 
Regulation,  but  also  by  the  access  provisions  of  DoD  6025. 18-R  (Reference  (o)).  The  Privacy  Act 
(Reference  (b)),  as  implemented  by  this  regulation,  however,  provides  greater  access  to  an 
individual’s  medical  records  than  that  authorized  by  Reference  (o). 

C3. 1.6.2.  Medical  records  in  a  system  of  records  shall  be  disclosed  to  the  individual  to 
whom  they  pertain,  even  if  a  minor;  but,  when  it  is  believed  that  access  to  such  records  could  have 
an  adverse  effect  on  the  mental  or  physical  health  of  the  individual  or  may  result  in  harm  to  a  third 
party,  the  following  special  procedures  apply: 

C3. 1 .6.2. 1 .  If  a  determination  is  made  in  consultation  with  a  medical  doctor  that  release 
of  the  medical  information  may  be  harmful  to  the  mental  or  physical  health  of  the  individual,  or  to 
a  third  party,  the  Component  shall: 

C3. 1 .6.2. 1.1.  Send  the  record  to  a  physician  named  by  the  individual;  and 

C3. 1 .6.2. 1 .2.  In  the  transmittal  letter  to  the  physician,  explain  why  access  by  the 
individual  without  proper  professional  supervision  could  be  harmful  (unless  it  is  obvious  from  the 
record). 


C3. 1 .6.2.2.  The  Component  shall  not  require  the  physician  to  request  the  records  for  the 

individual. 

C3.1.6.3.  If  the  individual  refuses  or  fails  to  designate  a  physician,  the  record  shall  not  be 
provided.  Such  refusal  of  access  is  not  considered  a  denial  under  the  Privacy  Act.  See  paragraph 
C3.2.1  and  C3.2.2  of  this  Chapter. 

C3. 1.6.4.  If  records  are  provided  to  the  designated  physician,  but  the  physician  declines  or 
refuses  to  provide  the  records  to  the  individual,  the  DoD  Component  is  under  an  affirmative  duty  to 
take  action  to  deliver  the  records  to  the  individual  by  whatever  means  deemed  appropriate.  Such 
action  should  be  taken  expeditiously,  especially  if  there  has  been  a  significant  delay  between  the 
time  the  records  were  furnished  the  physician  and  the  decision  by  the  physician  not  to  release  the 
records. 
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C3. 1 .6.5.  Access  to  a  minor’s  medical  records  may  be  granted  to  his  or  her  parents  or  legal 
guardians.  However,  access  is  subject  to  the  restrictions  as  set  forth  at  paragraph  C9.7.3  of 
Reference  (o). 

C3.1.6.6.  Members  of  the  Military  Services  and  all  married  persons  are  not  considered 
minors  regardless  of  age,  and  the  parents  of  these  individual  do  not  have  access  to  their  medical 
records  without  written  consent  of  the  individual. 

C3.1.7.  Access  to  Information  Compiled  in  Anticipation  of  a  Civil  Action.  (See  Chapter  5  of 
this  Regulation). 

C3.1.8.  Non-Agency  Records 

C3. 1.8.1.  Certain  documents  under  the  physical  control  of  DoD  personnel  and  used  to  assist 
them  in  perfonning  official  functions,  are  not  considered  “Agency  records”  within  the  meaning  of 
this  Regulation.  Uncirculated  personal  notes  and  records  that  are  not  disseminated  or  circulated  to 
any  person  or  organization  (for  example,  personal  telephone  lists  or  memory  aids)  that  are  retained 
or  discarded  at  the  author’s  discretion  and  over  which  the  Component  exercises  no  direct  control 
are  not  considered  Agency  records.  However,  if  personnel  are  officially  directed  or  encouraged, 
either  in  writing  or  orally,  to  maintain  such  records,  they  may  become  “Agency  records”  and  may 
be  subject  to  this  Regulation. 

C3. 1.8.2.  The  personal  uncirculated  handwritten  notes  of  unit  leaders,  office  supervisors,  or 
military  supervisory  personnel  concerning  subordinates  are  not  systems  of  records  within  the 
meaning  of  this  Regulation.  Such  notes  are  an  extension  of  the  individual’s  memory.  These  notes, 
however,  must  be  maintained  and  discarded  at  the  discretion  of  the  individual’s  supervisor  and  not 
circulated  to  others.  Any  established  requirement  to  maintain  such  notes  (such  as,  written  or  oral 
directives,  regulations,  or  command  policy)  may  transform  these  notes  into  “Agency  records,”  and 
they  then  must  be  made  a  part  of  a  system  of  records.  If  the  notes  are  circulated,  they  must  be 
made  a  part  of  a  system  of  records.  Any  action  that  gives  personal  notes  the  appearance  of  official 
Agency  records  is  prohibited,  unless  the  notes  have  been  incorporated  into  a  system  of  records. 

C3.1.9.  Relationship  between  the  Privacy  Act  (Reference  (b))  and  section  552  of  5  U.S.C.,  the 
Freedom  of  Information  Act  (Reference  (p)).  Not  all  requesters  are  knowledgeable  of  the 
appropriate  statutory  authority  to  cite  when  requesting  records.  In  some  instances,  they  may  cite 
neither  Act,  but  will  imply  one  or  both  Acts.  The  below  guidelines  are  provided  to  ensure  that 
requesters  are  given  the  maximum  amount  of  infonnation  as  authorized  under  both  statutes. 

C3. 1.9.1.  Process  requests  for  individual  access  as  follows: 

C3.1.9.1. 1.  If  the  records  are  required  to  be  released  under  the  Privacy  Act,  FOIA 
does  not  bar  release  even  if  a  FOIA  exemption  could  be  invoked  if  the  request  had  been  processed 
solely  under  FOIA.  Conversely,  if  the  records  are  required  to  be  released  under  FOIA,  the  Privacy 
Act  does  not  bar  disclosure. 
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C3. 1 .9. 1 .2.  Requesters  who  seek  records  about  themselves  contained  in  a  Privacy  Act 
system  of  records,  and  who  cite  or  imply  only  the  Privacy  Act,  will  have  their  records  processed 
under  the  provisions  of  this  Regulation  and  Reference  (d).  If  the  system  of  records  is  exempt  from 
the  access  provisions  of  this  Regulation,  and  if  the  records,  or  any  portion  thereof,  are  exempt 
under  FOIA,  the  requester  shall  be  advised  and  informed  of  the  appropriate  Privacy  and  FOIA 
exemptions.  Only  if  the  records  can  be  denied  under  both  statutes  may  the  Department  of  Defense 
withhold  the  records  from  the  individual.  Appeals  shall  be  processed  under  both  Acts. 

C3. 1 .9. 1 .3.  Requesters  who  seek  records  about  themselves  that  are  not  contained  in  a 
Privacy  Act  system  of  records,  and  who  cite  or  imply  only  the  Privacy  Act,  will  have  their  requests 
processed  under  the  provisions  of  Reference  (d)),  since  the  access  provisions  of  this  Regulation  do 
not  apply.  Appeals  shall  be  processed  under  the  FOIA. 

C3. 1 .9. 1 .4.  Requesters  who  seek  records  about  themselves  that  are  contained  in  a 
Privacy  Act  system  of  records,  and  who  cite  or  imply  FOIA  or  both  Acts,  will  have  their  requests 
processed  under  the  provisions  of  this  Regulation  and  Reference  (d).  If  the  system  of  records  is 
exempt  from  the  access  provisions  of  this  Regulation,  and  if  the  records,  or  any  portion  thereof,  are 
exempt  under  FOIA,  the  requester  shall  be  advised  and  infonned  of  the  appropriate  Privacy  and 
FOIA  exemptions.  Appeals  shall  be  processed  under  both  Acts. 

C3. 1 .9. 1.5.  Requesters  who  seek  records  about  themselves  that  are  not  contained  in  a 
Privacy  Act  system  of  records,  and  who  cite  or  imply  the  Privacy  Act  and  FOIA,  will  have  their 
requests  processed  under  Reference  (d),  since  the  access  provisions  of  this  Regulation  do  not  apply. 
Appeals  shall  be  processed  under  FOIA. 

C3. 1.9.2.  Do  not  deny  individuals’  access  to  personal  information  concerning  them  that 
would  otherwise  be  releasable  to  them  under  either  Act  solely  because  they  fail  to  cite  or  imply 
either  Act  or  cite  the  wrong  Act,  Regulation,  or  Instruction. 

C3. 1 .9.3.  Explain  to  the  requester  which  Act(s)  was(were)  used  when  granting  or  denying 
access  under  either  Act. 

C3.1.10.  Time  Limits.  DoD  Components  normally  shall  provide  access  within  20  working 
days  after  receipt  of  the  request.  If  access  cannot  be  given  within  the  20  working  day  period,  the 
requester  shall  be  notified  in  an  interim  response. 

C3.1. 1 1.  Privacy  Act  Case  File.  Establish  a  Privacy  Act  case  file,  when  required.  See 
paragraph  C3.3.16  of  this  Chapter. 
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C3.2.  DENIAL  OF  INDIVIDUAL  ACCESS 
C3.2.1.  Denying  Individual  Access 

C3.2. 1 . 1 .  An  individual  may  be  denied  access  to  a  record  pertaining  to  him  or  her  only  if 
the  record: 


C3.2. 1 . 1 . 1 .  Was  compiled  in  reasonable  anticipation  of  a  civil  action  or  proceeding. 

See  paragraph  C5.2  of  Chapter  5. 

C3.2. 1 . 1 .2.  Is  in  a  system  of  records  that  has  been  exempted  from  the  access  provisions 
of  this  Regulation  under  one  of  the  pennitted  exemptions.  See  paragraphs  5.3  and  5.4  of 
Chapter  5. 


C3.2. 1.1.3.  Contains  classified  information  that  has  been  exempted  from  the  access 
provisions  of  this  Regulation  under  the  blanket  exemption  for  such  material  claimed  for  all  DoD 
records  systems.  See  paragraph  C5.1.3.  of  Chapter  5. 

C3.2. 1.1.4.  Is  contained  in  a  system  of  records  for  which  access  may  be  denied  under 
some  other  Federal  statute  that  excludes  the  record  from  coverage  of  Reference  (b). 

C3.2. 1 .2.  Where  a  basis  for  denial  exists,  do  not  deny  the  record,  or  portions  of  the  record, 
if  denial  does  not  serve  a  legitimate  governmental  purpose. 

C3.2.2.  Other  Reasons  to  Refuse  Access 

C3.2.2.1.  An  individual  may  be  refused  access  if: 

C3.2.2. 1 . 1 .  The  record  is  not  described  well  enough  to  enable  it  to  be  located  with  a 
reasonable  amount  of  effort  on  the  part  of  an  employee  familiar  with  the  file;  or 

C3.2.2.1.2.  Access  is  sought  by  an  individual  who  fails  or  refuses  to  comply  with  the 
established  procedural  requirements,  including  refusing  to  name  a  physician  to  receive  medical 
records,  when  required,  (see  paragraph  C3.1.6  of  this  Chapter),  or  to  pay  fees  (see  section  C3.4  of 
this  Chapter). 

C3.2.2.2.  Always  explain  to  the  individual  the  specific  reason  access  has  been  refused  and 
how  he  or  she  may  obtain  access. 

C3.2.3.  Notifying  the  Individual.  Formal  denials  of  access  must  be  in  writing  and  include  at  a 
minimum: 

C3.2.3.1.  The  name,  title  or  position,  and  signature  of  a  designated  Component  denial 
authority; 

C3.2.3.2.  The  date  of  the  denial; 
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C3.2.3.3.  The  specific  reason  for  the  denial,  including  specific  citations  to  the  appropriate 
sections  of  the  Privacy  Act  or  other  statutes,  this  Regulation,  DoD  Component  instructions,  or  Code 
of  Federal  Regulations  (CFR)  authorizing  the  denial; 

C3.2.3.4.  Notice  to  the  individual  of  his  or  her  right  to  appeal  the  denial  through  the 
Component  appeal  procedure  within  60  calendar  days;  and 

C3.2.3.5.  The  title  or  position  and  address  of  the  Privacy  Act  appeals  official  for  the 
Component. 

C3.2.4.  DoD  Component  Appeal  Procedures.  Establish  internal  appeal  procedures  that,  at  a 
minimum,  provide  for: 

C3.2.4.1.  Review  by  the  Head  of  the  Component,  or  his  or  her  designee,  of  any  appeals  by 
an  individual  from  a  denial  of  access  to  Component  records. 

C3.2.4.2.  Fonnal  written  notification  to  the  individual  by  the  appeal  authority  that  shall: 

C3.2.4.2.1.  Include,  at  a  minimum,  the  following,  if  the  denial  is  sustained  totally  or  in 

part: 


C3.2.4.2. 1.1.  The  exact  reason  for  denying  the  appeal,  to  include  specific  citations 
to  the  provisions  of  the  Act  or  other  statutes,  this  Regulation,  Component  instructions,  or  the  CFR 
upon  which  the  detennination  is  based; 

C3.2.4.2.1.2.  The  date  of  the  appeal  determination; 

C3.2.4.2.1.3.  The  name,  title,  and  signature  of  the  appeal  authority;  and 

C3.2.4.2.1.4.  A  statement  informing  the  applicant  of  his  or  her  right  to  seek  judicial 

relief. 


C3.2.4.2.2.  If  the  appeal  is  granted,  notify  the  individual  and  provide  access  to  the 
material  to  which  access  has  been  granted. 

C3.2.4.3.  The  written  appeal  notification  granting  or  denying  access  is  the  final  Component 
action  regarding  access. 

C3.2.4.4.  The  individual  shall  file  any  appeal  from  denial  of  access  within  no  less  than  60 
calendar  days  of  receipt  of  the  denial  notification. 

C3.2.4.5.  Process  all  appeals  within  30  days  of  receipt,  unless  the  appeal  authority 
detennines  that  a  fair  and  equitable  review  cannot  be  made  within  that  period.  Notify  the  applicant 
in  writing  if  additional  time  is  required  for  the  appellate  review.  The  notification  must  include  the 
reasons  for  the  delay  and  state  when  the  individual  may  expect  an  answer  to  the  appeal. 
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C3.2.5.  Denial  of  Appeals  by  Failure  to  Act.  A  requester  may  consider  his  or  her  appeal 
formally  denied  if  the  appeal  authority  fails: 

C3.2.5.1.  To  act  on  the  appeal  within  30  days; 

C3.2.5.2.  To  provide  the  requester  with  a  notice  of  extension  within  30  days;  or 

C3.2.5.3.  To  act  within  the  time  limits  established  in  the  Component’s  notice  of  extension. 
See  paragraph  C3.2.4.5  of  this  Chapter. 

C3.2.6.  Denying  Access  to  PPM  Records  Held  by  the  DoD  Components 

C3.2.6.1.  The  records  in  all  systems  of  records  maintained  in  accordance  with  the  OPM 
Government-wide  system  notices  are  technically  only  in  the  temporary  custody  of  the  Department 
of  Defense. 

C3.2.6.2.  All  requests  for  access  to  these  records  must  be  processed  in  accordance  with  part 
297  of  Reference  (e)  as  well  as  applicable  Component  procedures. 

C3.2.6.3.  When  a  DoD  Component  refuses  to  grant  access  to  a  record  in  an  OPM  system, 
the  Component  shall  advise  the  individual  that  his  or  her  appeal  must  be  directed  to  the  Assistant 
Director  for  Workforce  Information,  Personnel  Systems  and  Oversight  Group,  U.S.  Office  of 
Personnel  Management,  1900  E  Street,  N.W.,  Washington,  D.C.  20415,  in  accordance  with  the 
procedures  of  part  297  of  Reference  (e). 


C3.3.  AMENDMENT  OF  RECORDS 

C3.3.1.  Individual  Review  and  Correction.  Individuals  are  encouraged  to  periodically  review 
the  personal  information  being  maintained  about  them  by  the  DoD  Components  and  to  avail 
themselves  of  the  procedures  established  by  this  Regulation  and  other  Regulations  to  update  their 
records. 

C3.3.2.  Amending  Records 

C3.3.2.1.  An  individual  may  request  the  amendment  of  any  record  contained  in  a  system  of 
records  pertaining  to  him  or  her  unless  the  system  of  record  has  been  exempted  specifically  from 
the  amendment  procedures  of  this  Regulation  under  paragraph  C5. 1 .2  of  Chapter  5.  Normally, 
amendments  under  this  Regulation  are  limited  to  correcting  factual  matters  and  not  matters  of 
official  judgment,  such  as  performance  ratings,  promotion  potential,  and  job  performance 
appraisals. 

C3.3.2.2.  While  a  Component  may  require  that  the  request  for  amendment  be  in  writing, 
this  requirement  shall  not  be  used  to  discourage  individuals  from  requesting  valid  amendments,  or 
to  unnecessarily  delay  the  amendment  process. 
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C3.3.2.3.  A  request  for  amendment  must  include: 

C3.3.2.3. 1 .  A  description  of  the  item  or  items  to  be  amended; 

C3.3.2.3.2.  The  specific  reason  for  the  amendment; 

C3.3.2.3.3.  The  type  of  amendment  action  sought  (deletion,  correction,  or  addition); 


and 

C3.3.2.3.4.  Copies  of  available  documentary  evidence  supporting  the  request. 

C3.3.3.  Burden  of  Proof.  The  applicant  must  adequately  support  his  or  her  claim. 

C3.3.4.  Identification  of  Requesters 

C3.3.4.1.  Individuals  may  be  required  to  provide  identification  to  ensure  that  they  are 
indeed  seeking  to  amend  a  record  pertaining  to  themselves  and  not,  inadvertently  or  intentionally, 
the  records  of  others. 


C3.3.4.2.  The  identification  procedures  shall  not  be  used  to  discourage  legitimate 
requests  or  to  needlessly  burden  or  delay  the  amendment  process.  (See  paragraph  C3. 1 .3.  of  this 
Chapter.) 

C3.3.5.  Limits  on  Attacking  Evidence  Previously  Submitted 

C3.3.5. 1 .  The  amendment  process  is  not  intended  to  pennit  the  alteration  of  records 
presented  in  the  course  of  judicial  or  quasi-judicial  proceedings.  Any  amendments  or  changes  to 
these  records  are  typically  made  through  the  specific  procedures  established  for  the  amendment  of 
such  records. 


C3.3.5.2.  Nothing  in  the  amendment  process  is  intended  or  designed  to  permit  a  collateral 
attack  upon  what  has  already  been  the  subject  of  a  judicial  or  quasi-judicial  determination. 
However,  while  the  individual  may  not  attack  the  accuracy  of  the  judicial  or  quasi-judicial 
detennination  under  this  Regulation,  he  or  she  may  challenge  the  accuracy  of  the  recording  of  that 
action. 


C3.3.6.  Sufficiency  of  a  Request  to  Amend.  Consider  the  following  factors  when  evaluating 
the  sufficiency  of  a  request  to  amend: 

C3.3.6.1.  The  accuracy  of  the  information  itself;  and 

C3.3.6.2.  The  relevancy,  timeliness,  completeness,  and  necessity  of  the  recorded 
information. 
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C3.3.7.  Time  Limits 

C3.3.7.1.  Provide  written  acknowledgment  of  a  request  to  amend  within  10  working  days 
of  its  receipt  by  the  appropriate  systems  manager.  If  the  action  is  completed  within  10  working 
days  and  the  individual  is  so  informed,  the  request  does  not  need  to  be  acknowledged. 

C3.3.7.2.  The  letter  of  acknowledgment  shall  clearly  identify  the  request  and  advise  the 
individual  when  he  or  she  may  expect  to  be  notified  of  the  completed  action. 

C3.3.7.3.  Only  under  the  most  exceptional  circumstances  shall  more  than  30  days  be 
required  to  reach  a  decision  on  a  request  to  amend.  Document  fully  and  explain  in  the  Privacy  Act 
case  file  (see  paragraph  C3.3.16  of  this  Chapter)  any  such  decision  that  takes  more  than  30  days  to 
resolve. 

C3.3.8.  Agreement  to  Amend.  If  the  decision  is  made  to  grant  all  or  part  of  the  request  for 
amendment,  amend  the  record  accordingly  and  notify  the  requester. 

C3.3.9.  Notification  of  Previous  Recipients 

C3.3.9.1.  Notify  all  previous  recipients  of  the  record,  as  reflected  in  the  disclosure 
accounting  records,  that  an  amendment  has  been  made  and  the  substance  of  the  amendment. 
Recipients  who  are  known  to  be  no  longer  retaining  the  information  need  not  be  advised  of  the 
amendment.  All  DoD  Components  and  Federal  Agencies  known  to  be  retaining  the  record  or 
information,  even  if  not  reflected  in  a  disclosure  record,  shall  be  notified  of  the  amendment. 

Advise  the  requester  of  these  notifications. 

C3.3.9.2.  Honor  all  requests  by  the  requester  to  notify  specific  Federal  Agencies  of  the 
amendment  action. 

C3.3.10.  Denying  Amendment.  If  the  request  for  amendment  is  denied  in  whole  or  in  part, 
promptly  advise  the  individual,  in  writing,  of  the  decision,  to  include: 

C3.3. 10. 1 .  The  specific  reason  and  authority  for  not  amending; 

C3.3. 10.2.  Notification  that  he  or  she  may  seek  further  independent  review  of  the  decision 
by  the  Head  of  the  DoD  Component  or  his  or  her  designee; 

C3.3. 10.3.  The  procedures  for  appealing  the  decision  citing  the  position  and  address  of  the 
official  to  whom  the  appeal  shall  be  addressed;  and 

C3.3. 10.4.  Where  he  or  she  can  receive  assistance  in  filing  the  appeal. 

C3.3. 1 1 .  DoD  Component  Appeal  Procedures.  Establish  procedures  to  ensure  the  prompt, 
complete,  and  independent  review  of  each  amendment  denial  upon  appeal  by  the  individual.  These 
procedures  must  ensure  that: 
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C3.3. 1 1 . 1 .  The  appeal  with  all  supporting  materials  both  that  furnished  the  individual  and 
that  are  contained  in  Component  records  is  provided  to  the  reviewing  official;  and 

C3.3. 1 1 .2.  If  the  appeal  is  denied  completely  or  in  part,  the  individual  is  notified,  in 
writing,  by  the  reviewing  official  that: 

C3.3. 1 1 .2. 1 .  The  appeal  has  been  denied  and  the  specific  reason  and  authority  for  the 

denial; 


C3.3. 1 1 .2.2.  The  individual  may  file  a  statement  of  disagreement  with  the  appropriate 
authority  and  the  procedures  for  filing  a  statement; 

C3.3. 1 1 .2.3.  If  filed  properly,  the  statement  of  disagreement  shall  be  included  in  the 
records,  furnished  to  all  future  recipients  of  the  records,  and  provided  to  all  prior  recipients  of  the 
disputed  records  who  are  known  to  hold  the  record;  and 

C3.3.1 1.2.4.  The  individual  may  seek  a  judicial  review  of  the  decision  not  to  amend. 

C3.3.11.3.  If  the  record  is  amended,  ensure  that: 

C3. 3. 11. 3.1.  The  requester  is  promptly  notified  of  the  decision; 

C3.3. 1 1 .3.2.  All  prior  known  recipients  of  the  records  who  are  known  to  be  retaining 
the  record  are  notified  of  the  decision  and  the  specific  nature  of  the  amendment  (see  paragraph 
C3.3.9  of  this  Chapter);  and 

C3.3. 1 1 .3.3.  The  requester  is  notified  which  DoD  Components  and  Federal  Agencies 
have  been  told  of  the  amendment. 

C3.3. 1 1 .4.  Process  all  appeals  within  30  days  unless  the  appeal  authority  detennines  that  a 
fair  review  cannot  be  made  within  this  time  limit.  If  additional  time  is  required  for  the  appeal, 
notify  the  requester,  in  writing,  of  the  delay,  the  reason  for  the  delay,  and  when  he  or  she  may 
expect  a  final  decision  on  the  appeal.  Document  fully  all  requirements  for  additional  time  in  the 
Privacy  Act  case  file.  See  paragraph  C3.3.16.  of  this  Chapter. 

C3.3.12.  Denying  Amendment  of  PPM  Records  Held  by  the  DoD  Components 

C3.3. 12. 1 .  The  records  in  all  systems  of  records  controlled  by  the  OPM  Government- wide 
system  notices  are  technically  only  temporarily  in  the  custody  of  the  Department  of  Defense. 
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C3.3. 12.2.  All  requests  for  amendment  of  these  records  must  be  processed  in  accordance 
with  Part  297  of  Reference  (e).  The  Component  denial  authority  may  deny  a  request.  However, 
when  an  amendment  request  is  denied,  the  DoD  Component  shall  advise  the  individual  that  his  or 
her  appeal  must  be  directed  to  the  Assistant  Director  for  Workforce  Information,  Personnel 
Systems  and  Oversight  Group,  U.S.  Office  of  Personnel  Management,  1900  E  Street  N.W., 
Washington,  DC  20415,  in  accordance  with  the  procedures  of  297  (Reference  (e)). 

C3.3.13.  Statements  of  Disagreement  Submitted  by  Individuals 

C3.3. 13. 1 .  If  the  appellate  authority  refuses  to  amend  the  record  as  requested,  the 
individual  may  submit  a  concise  statement  of  disagreement  setting  forth  his  or  her  reasons  for 
disagreeing  with  the  decision  not  to  amend. 

C3.3. 13.2.  If  an  individual  chooses  to  file  a  statement  of  disagreement,  annotate  the  record 
to  indicate  that  the  statement  has  been  filed.  See  paragraph  C3.3. 14.  of  this  Chapter. 

C3.3. 13.3.  Furnish  copies  of  the  statement  of  disagreement  to  all  DoD  Components  and 
Federal  Agencies  that  have  been  provided  copies  of  the  disputed  infonnation  and  who  may  be 
maintaining  the  information. 

C3.3.14.  Maintaining  Statements  of  Disagreement 

C3.3. 14. 1 .  When  possible,  incorporate  the  statement  of  disagreement  into  the  record. 

C3.3. 14.2.  If  the  statement  cannot  be  made  a  part  of  the  record,  establish  procedures  to 
ensure  that  it  is  apparent  from  the  records  that  a  statement  of  disagreement  has  been  filed  and 
maintain  the  statement  so  that  it  can  be  obtained  readily  when  the  disputed  infonnation  is  used  or 
disclosed. 

C3.3. 14.3.  Automated  record  systems  that  are  not  programmed  to  accept  statements  of 
disagreement  shall  be  annotated  or  coded  so  that  they  clearly  indicate  that  a  statement  of 
disagreement  is  on  file,  and  clearly  identify  the  statement  with  the  disputed  information  in  the 
system. 


C3.3. 14.4.  Provide  a  copy  of  the  statement  of  disagreement  whenever  the  disputed 
information  is  disclosed  for  any  purpose. 

C3.3.15.  The  DoD  Component  Statement  of  Reasons  for  Refusing  to  Amend 

C3.3. 15.1.  A  statement  of  reasons  for  refusing  to  amend  may  be  included  with  any  record 
for  which  a  statement  of  disagreement  is  filed. 

C3.3. 15.2.  Include  in  this  statement  only  the  reasons  furnished  to  the  individual  for  not 
amending  the  record.  Do  not  comment  on  or  respond  to  comments  contained  in  the  statement  of 
disagreement.  Normally,  both  statements  are  filed  together. 
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C3.3. 15.3.  When  disclosing  infonnation  for  which  a  statement  of  reasons  has  been  filed,  a 
copy  of  the  statement  may  be  released  whenever  the  record  and  the  statement  of  disagreement  are 
disclosed. 


C3.3.16.  Privacy  Case  Files 

C3.3. 16. 1 .  Establish  a  separate  Privacy  Case  File  to  retain  the  documentation  received  and 
generated  during  the  amendment  or  access  process. 

C3.3. 16.2.  The  Privacy  Case  File  shall  contain  as  a  minimum: 

C3. 3. 16.2.1.  The  request  for  amendment  and  access; 

C3. 3. 16.2.2.  Copies  of  the  DoD  Component’s  reply  granting  or  denying  the  request; 

C3. 3. 16.2.3.  Any  appeals  from  the  individual; 

C3. 3. 16.2.4.  Copies  of  the  action  regarding  the  appeal  with  supporting  documentation 
that  is  not  in  the  basic  file;  and 

C3. 3. 16.2.5.  Any  other  correspondence  generated  in  processing  the  appeal,  to  include 
coordination  documentation. 


C3.3.16.3.  Only  the  items  listed  in  subparagraphs  C3.3.16.4.  and  C3.3.16.5.  of  this  Chapter 
may  be  included  in  the  system  of  records  challenged  for  amendment  or  for  which  access  is  sought. 
Do  not  retain  copies  of  the  original  record  in  the  basic  record  system  if  the  request  for  amendment 
is  granted  and  the  record  has  been  amended. 

C3.3. 16.4.  The  following  items  relating  to  an  amendment  request  may  be  included  in  the 
disputed  record  system: 

C3. 3. 16.4.1.  Copies  of  the  amended  record. 

C3. 3. 16.4.2.  Copies  of  the  individual’s  statement  of  disagreement.  See  paragraph 
C3.3.13.  of  this  Chapter. 

C3. 3. 16.4.3.  Copies  of  the  Component’s  statement  of  reasons  for  refusing  to  amend. 

See  paragraph  C3.3.15.  of  this  Chapter. 

C3. 3. 16.4.4.  Supporting  documentation  submitted  by  the  individual. 

C3.3. 16.5.  The  following  items  relating  to  an  access  request  may  be  included  in  the  basic 
records  system: 

C3. 3. 16.5.1.  Copies  of  the  request; 
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C3. 3. 16.5.2.  Copies  of  the  Component’s  action  granting  total  or  partial  access  (a 
separate  Privacy  case  file  need  not  be  created  in  such  cases); 

C3. 3. 16.5.3.  Copies  of  the  Component’s  action  denying  access; 

C3. 3. 16.5.4.  Copies  of  any  appeals  filed;  and 

C3. 3. 16.5.5.  Copies  of  the  reply  to  the  appeal. 

C3.3. 16.6.  Privacy  case  files  shall  not  be  furnished  or  disclosed  to  anyone  for  use  in 
making  any  detennination  about  the  individual  other  than  detenninations  made  under  this 
Regulation. 


C3.4.  REPRODUCTION  FEES 

C3.4.1.  Assessing  Fees 

C3.4. 1 . 1 .  Charge  the  individual  only  the  direct  cost  of  reproduction. 

C3.4. 1 .2.  Do  not  charge  reproduction  fees  if  copying  is: 

C3.4. 1.2.1.  The  only  means  to  make  the  record  available  to  the  individual  (for  example, 
a  copy  of  the  record  must  be  made  to  delete  classified  information). 

C3.4. 1.2.2.  For  the  convenience  of  the  DoD  Component  (for  example,  the  Component 
has  no  reading  room  where  an  individual  may  review  the  record,  or  reproduction  is  done  to  keep 
the  original  in  the  Component’s  file). 

C3.4. 1 .2.3.  No  fees  shall  be  charged  when  the  record  may  be  obtained  without  charge 
under  any  other  Regulation,  Directive,  or  statute. 

C3.4. 1.2.4.  Do  not  use  fees  to  discourage  requests. 

C3.4.2.  No  Minimum  Fees  Authorized.  Use  fees  only  to  recoup  direct  reproduction  costs 
associated  with  granting  access.  Minimum  fees  for  duplication  are  not  authorized  and  there  is  no 
automatic  charge  for  processing  a  request. 

C3.4.3.  Prohibited  Fees.  Do  not  charge  or  collect  fees  for: 

C3.4.3.1.  Search  and  retrieval  of  records; 

C3.4.3.2.  Review  of  records  to  detennine  releasability; 

C3.4.3.3.  Copying  records  for  the  DoD  Component  convenience,  or  when  the  individual 
has  not  specifically  requested  a  copy; 
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C3.4.3.4.  Transportation  of  records  and  personnel;  or 

C3.4.3.5.  Normal  postage. 

C3.4.4.  Waiver  of  Fees 

C3.4.4.1.  Normally,  fees  are  waived  automatically  if  the  direct  costs  of  a  given  request  are 
less  than  $30.  This  fee  waiver  provision  does  not  apply  when  a  waiver  has  been  granted  to  the 
individual  before,  and  later  requests  appear  to  be  an  extension  or  duplication  of  that  original 
request.  A  DoD  Component  may,  however,  set  aside  this  automatic  fee  waiver  provision  when,  on 
the  basis  of  good  evidence,  it  detennines  that  the  waiver  of  fees  is  not  in  the  public  interest. 

C3.4.4.2.  Decisions  to  waive  or  reduce  fees  that  exceed  the  automatic  waiver  threshold 
shall  be  made  on  a  case-by-case  basis. 

C3.4.5.  Fees  for  Members  of  Congress.  Do  not  charge  members  of  Congress  for  copying 
records  furnished,  even  when  the  records  are  requested  under  the  Privacy  Act  on  behalf  of  a 
constituent.  See  paragraph  C4.2. 1 1  of  Chapter  4.  When  replying  to  a  constituent  inquiry  and  the 
fees  involved  are  substantial,  consider  suggesting  to  the  Congressman  that  the  constituent  can 
obtain  the  information  directly  by  writing  to  the  appropriate  offices  and  paying  the  costs.  When 
practical,  suggest  to  the  Congressman  that  the  record  can  be  examined  at  no  cost  if  the  constituent 
wishes  to  visit  the  custodian  of  the  record. 

C3.4.6.  Reproduction  Fees  Computation.  Compute  fees  using  the  appropriate  portions  of  the 
fee  schedule  in  Reference  (d). 
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C4.  CHAPTER  4 

DISCLOSURE  OF  PERSONAL  INFORMATION 
TO  OTHER  AGENCIES  AND  THIRD  PARTIES 


C4.1.  CONDITIONS  OF  DISCLOSURE 

C4.1.1.  Disclosures  to  Third  Parties 

C4. 1.1.1.  The  Privacy  Act  only  compels  disclosure  of  records  from  a  system  of  records  to 
the  individuals  to  whom  they  pertain  unless  the  records  are  contained  in  a  system  for  which  an 
exemption  to  the  access  provisions  of  this  Regulation  has  been  claimed. 

C4. 1.1.2.  Requests  by  other  individuals  (third  parties)  for  the  records  of  individuals  that  are 
contained  in  a  system  of  records  shall  be  processed  under  Reference  (d),  except  for  requests  by  the 
parents  of  a  minor,  or  the  legal  guardian  of  an  individual,  for  access  to  the  records  pertaining  to  the 
minor  or  individual. 

C4.1.2.  Disclosures  among  the  DoD  Components.  For  the  purposes  of  disclosure  and 
disclosure  accounting,  the  Department  of  Defense  is  considered  a  single  agency.  See  paragraph 
C4.2.1.  of  this  Chapter. 

C4.1.3.  Disclosures  outside  the  Department  of  Defense.  Do  not  disclose  personal  information 
from  a  system  of  records  outside  the  Department  of  Defense  unless: 

C4. 1.3.1.  The  record  has  been  requested  by  the  individual  to  whom  it  pertains; 

C4.1.3.2.  The  written  consent  of  the  individual  to  whom  the  record  pertains  has  been 
obtained  for  release  of  the  record  to  the  requesting  Agency,  activity,  or  individual;  or 

C4.1.3.3.  The  release  is  authorized  pursuant  to  one  of  the  specific  non-consensual 
conditions  of  disclosure  as  set  forth  in  section  C4.2.  of  this  Chapter. 

C4. 1 .4.  Validation  before  Disclosure.  Except  for  releases  made  in  accordance  with  Reference 
(d),  the  following  steps  shall  be  taken  before  disclosing  any  records  to  any  recipient  outside  the 
Department  of  Defense,  other  than  a  Federal  Agency  or  the  individual  to  whom  it  pertains: 

C4. 1.4.1.  Ensure  that  the  records  are  accurate,  timely,  complete,  and  relevant  for  agency 
purposes; 

C4. 1.4.2.  Contact  the  individual,  if  reasonably  available,  to  verify  the  accuracy,  timeliness, 
completeness,  and  relevancy  of  the  information,  if  this  cannot  be  determined  from  the  record;  or 
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C4.1.4.3.  If  the  information  is  not  current  and  the  individual  is  not  reasonably  available, 
advise  the  recipient  that  the  infonnation  is  believed  accurate  as  of  a  specific  date  and  any  other 
known  factors  bearing  on  its  accuracy  and  relevancy. 


C4.2.  NON-CONSENSUAL  CONDITIONS  OF  DISCLOSURES 
C4.2.1.  Disclosures  within  the  Department  of  Defense 

C4.2. 1.1.  Records  pertaining  to  an  individual  may  be  disclosed  to  a  DoD  official  or 
employee  provided: 

C4.2. 1.1.1.  The  requester  has  a  need  for  the  record  in  the  perfonnance  of  his  or  her 
assigned  duties.  The  requester  shall  articulate  in  sufficient  detail  why  the  records  are  required  so 
that  the  custodian  of  the  records  may  make  an  informed  decision  regarding  their  release; 

C4.2. 1.1.2.  The  intended  use  of  the  record  generally  relates  to  the  purpose  for  which  the 
record  is  maintained;  and 

C4.2.1.1.3.  Only  those  records  as  are  minimally  required  to  accomplish  the  intended  use 
are  disclosed.  The  entire  record  is  not  released  if  only  a  part  of  the  record  will  be  responsive  to  the 
request. 

C4.2. 1 .2.  Rank,  position,  or  title  alone  does  not  authorize  access  to  personal  information 
about  others. 

C4.2.2.  Disclosures  Required  by  FOIA  (Reference  (p)) 

C4.2.2.1.  All  records  must  be  disclosed  if  their  release  is  required  by  Reference  (p),  as 
implemented  by  Reference  (d).  The  FOIA  requires  that  records  be  made  available  to  the  public 
unless  withholding  is  authorized  pursuant  to  one  of  nine  exemptions  or  one  of  three  law 
enforcement  exclusions  under  the  Act. 

C4.2.2. 1 . 1 .  The  DoD  Component  must  be  in  receipt  of  a  FOIA  request  and  a 
detennination  made  that  the  records  are  not  withholdable  pursuant  to  a  FOIA  exemption  or 
exclusion  before  the  records  may  be  disclosed. 

C4.2.2.1.2.  Records  that  have  traditionally  been  held  to  be  in  the  public  domain  or 
which  are  required  to  be  disclosed  to  the  public,  such  as  press  releases,  may  be  disclosed  whether 
or  not  a  FOIA  request  has  been  received. 

C4.2.2.2.  The  standard  for  exempting  most  personal  records,  such  as  personnel,  medical, 
and  similar  records,  is  FOIA  Exemption  6  (paragraph  C3.2.1.6.  of  Reference  (d)).  Under  that 
exemption,  records  can  be  withheld  when  disclosure,  if  other  than  to  the  individual  about  whom  the 
information  pertains,  would  result  in  a  clearly  unwarranted  invasion  of  the  individual’s  personal 
privacy. 
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C4.2.2.3.  The  standard  for  exempting  personal  records  compiled  for  law  enforcement 
purposes,  including  personnel  security  investigation  records,  is  FOIA  Exemption  7(C) 

(C3. 2. 1.7. 1.3.  of  Reference  (d)).  Under  that  exemption,  records  can  be  withheld  when  disclosure,  if 
other  than  to  the  individual  about  whom  the  infonnation  pertains,  would  result  in  an  unwarranted 
invasion  of  the  individual’s  personal  privacy. 

C4.2.2.4.  If  records  or  information  are  exempt  from  disclosure  pursuant  to  the  standards  set 
forth  in  subparagraphs  C4.2.2.2.  and/or  C4.2.2.3.,  and  the  records  are  contained  in  a  system  of 
records  (See  Chapter  1  of  this  Regulation),  Reference  (b)  prohibits  release. 

C4.2.2.5.  Personal  Information  That  Is  Normally  Releasable 
C4.2.2.5.1.  DoD  Civilian  Employees 

C4.2.2.5. 1 . 1 .  Some  examples  of  personal  information  regarding  DoD  civilian 
employees  that  normally  may  be  released  without  a  clearly  unwarranted  invasion  of  personal 
privacy  include: 


C4.2.2.5. 1.1.1. 
C4.2.2.5. 1.1.2 
C4.2.2.5. 1.1.3. 
C4.2.2.5. 1.1.4. 
C4.2.2.5.1.1.5. 
C4.2.2.5. 1.1.6. 
C4.2.2.5. 1.1.7. 


Name. 

Present  and  past  position  titles. 
Present  and  past  grades. 

Present  and  past  annual  salary  rates. 
Present  and  past  duty  stations. 
Office  and  duty  telephone  numbers. 
Position  Descriptions. 


C4.2.2.5. 1 .2.  All  disclosures  of  personal  information  regarding  Federal  civilian 
employees  shall  be  made  in  accordance  with  OPM  release  policies.  See  Part  293.3 1 1  of 
Reference  (e). 


C4.2.2.5.2.  Military  Members 


C4.2.2.5.2.1.While  it  is  not  possible  to  identify  categorically  information  that  must 
be  released  or  withheld  from  military  personnel  records  in  every  instance,  the  following  items  of 
personal  information  regarding  individual  military  members  normally  may  be  disclosed  without  a 
clearly  unwarranted  invasion  of  their  personal  privacy: 

C4.2.2.5.2.1.1.  Full  name. 
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C4.2.2.5.2.1.2.  Rank. 

C4.2.2.5.2.1.3  Date  of  rank. 

C4.2.2.5.2.1.4.  Gross  salary. 

C4.2.2.5.2.1.5.  Past  duty  assignments. 

C4.2.2.5.2.1.6.  Present  duty  assignment. 

C4.2.2.5.2.1.7.  Future  assignments  that  are  officially  established. 
C4.2.2.5.2.1.8.  Office  or  duty  telephone  numbers. 

C4.2.2.5.2.1.9.  Source  of  commission. 

C4.2.2.5.2.1.10.  Promotion  sequence  number. 

C4.2.2.5.2.1.1 1.  Awards  and  decorations. 

C4.2.2.5.2.1.12.  Attendance  at  professional  military  schools. 

C4.2.2.5.2.1.13.  Duty  status  at  any  given  time. 

C4.2.2.5.2.1.14.  Home  of  record  (identification  of  the  state  only). 
C4.2.2.5.2.1.15.  Length  of  military  service 
C4.2.2.5.2.1.16.  Basic  Pay  Entry  Date 
C4.2.2.5.2.1.17.  Official  Photo 

C4.2.2.5.2.2  All  disclosures  of  personal  information  regarding  military  members 
shall  be  made  in  accordance  with  Reference  (d). 

C4.2.2.5.3.  Civilian  Employees  Not  Under  the  Authority  of  PPM 

C4.2.2.5.3.1.  While  it  is  not  possible  to  identify  categorically  those  items  of 
personal  information  that  must  be  released  regarding  civilian  employees  not  subject  to 
Reference  (e),  such  as  nonappropriated  fund  employees,  normally  the  following  items  may  be 
released  without  a  clearly  unwarranted  invasion  of  personal  privacy: 

C4.2.2.5.3.1.1.  Full  name. 

C4.2.2.5.3.1.2.  Grade  or  position. 
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C4.2.2.5.3.1.3. 

C4.2.2.5.3.1.4. 

C4.2.2.5.3.1.5. 

C4.2.2.5.3.1.6. 

C4.2.2.5.3.1.7. 


Date  of  grade. 

Gross  salary. 

Present  and  past  assignments. 

Future  assignments,  if  officially  established. 
Office  or  duty  telephone  numbers. 


C4.2.2.5.3.2.  Ah  releases  of  personal  information  regarding  civilian  personnel  in 
this  category  shah  be  made  in  accordance  with  Reference  (d). 

C4.2.2.6.  When  military  or  civilian  personnel  are  assigned,  detailed,  or  employed  by  the 
National  Security  Agency,  the  Defense  Intelligence  Agency,  the  National  Reconnaissance  Office, 
or  the  National  Geospatial-Intelligence  agency,  information  about  such  personnel  may  only  be 
disclosed  as  authorized  by  Public  Law  86-36  (1959  )  (Reference  (q))  and  Section  424  of  10  U.S.C. 
(Reference  (r)).  When  military  and  civilian  personnel  are  assigned,  detailed  or  employed  by  an 
overseas  unit,  a  sensitive  unit,  or  to  a  routinely  deployable  unit,  information  about  such  personnel 
may  only  be  disclosed  as  authorized  by  section  130b  of  Reference  (r). 


C4.2.2.7.  Information  about  military  or  civilian  personnel  that  otherwise  may  be 
disclosable  consistent  with  subparagraph  C4.2.2.5.  may  not  be  releasable  if  a  requester  seeks 
listings  of  personnel  currently  or  recently  assigned/detailed/employed  within  a  particular 
component,  unit,  organization,  or  office  with  the  Department  of  Defense,  if  the  disclosure  of  such  a 
list  would  pose  a  privacy  or  security  threat. 

C4.2.3.  Disclosures  for  Established  Routine  Uses 


C4.2.3.1.  Records  may  be  disclosed  outside  the  Department  of  Defense  pursuant  to  a 
routine  use  that  has  been  established  for  the  system  of  records  that  contains  the  records. 

C4.2.3.2.  A  routine  use  shah: 


C4.2.3.2. 1 .  Be  compatible  with  the  purpose  for  which  the  record  was  collected; 

C4.2.3.2.2.  Identify  the  persons  or  organizations  to  whom  the  record  may  be  released; 

C4.2.3.2.3.  Identify  specifically  the  intended  uses  of  the  information  by  the  persons  or 
organization;  and 


C4.2.3.2.4.  Have  been  published  in  the  Federal  Register.  See  paragraph  C6.3.9  of 

Chapter  6. 

C4.2.3.3.  If  a  Federal  statute  or  an  Executive  Order  of  the  President  directs  that  records 
contained  in  a  system  of  records  be  disclosed  outside  the  Department  of  Defense,  the  statute  or 
Executive  Order  serves  as  authority  for  the  establishment  of  a  routine  use. 
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C4.2.3.4.  New  or  altered  routine  uses  must  be  published  in  the  Federal  Register  at  least  30 
days  before  any  records  may  be  disclosed  pursuant  to  the  terms  of  the  routine  use  (see  Chapter  6). 

C4.2.3.5.  In  addition  to  the  specific  routine  uses  established  for  each  of  the  individual 
system  notices,  blanket  routine  uses  have  been  established  (see  Appendix  3)  that  are  applicable  to 
ah  DoD  system  of  records.  However,  in  order  for  the  blanket  routine  uses  to  apply  to  a  specific 
system  of  records,  the  system  notice  shah  expressly  state  that  the  blanket  routine  uses  apply.  These 
blanket  routine  uses  are  published  only  at  the  beginning  of  the  listing  of  system  notices  for  each 
Component  in  the  Federal  Register. 

C4.2.4.  Disclosures  to  the  Bureau  of  the  Census.  Records  in  DoD  systems  of  records  may  be 
disclosed  without  the  consent  of  the  individuals  to  whom  they  pertain  to  the  Bureau  of  the  Census 
for  purposes  of  planning  or  carrying  out  a  census  survey  or  related  activities  pursuant  to  the 
provisions  of  section  6  of  13  U.S.C.  (Reference  (s)). 

C4.2.5.  Disclosures  for  Statistical  Research  or  Reporting 

C4.2.5. 1 .  Records  may  be  disclosed  for  statistical  research  or  reporting  but  only  after  the 
intended  recipient  provides,  in  writing,  the  purpose  for  which  the  records  are  sought  and  assurances 
that  the  records  will  be  used  only  for  statistical  research  or  reporting  purposes. 

C4.2.5.2.  The  records  shah  be  transferred  to  the  requester  in  a  form  that  is  not  individually 
identifiable.  DoD  Components  disclosing  records  under  this  provision  are  required  to  assure  that 
information  being  disclosed  cannot  reasonably  be  used  in  any  way  to  make  determinations  about 
individuals. 

C4.2.5.3.  The  records  will  not  be  used,  in  whole  or  in  part,  to  make  any  determination 
about  the  rights,  benefits,  or  entitlements  of  specific  individuals. 

C4.2.5.4.  The  written  statement  by  the  requester  shah  be  made  part  of  the  Component’s 
accounting  of  disclosures.  See  paragraph  C4.5. 1  of  this  Chapter. 

C4.2.6.  Disclosures  to  the  National  Archives  and  Records  Administration  (NARA),  General 
Services  Administration  (GSA). 

C4.2.6.1.  Records  may  be  disclosed  to  the  NARA: 

C4.2.6. 1.1.  If  they  have  historical  or  other  value  to  warrant  continued  preservation;  or 

C4.2.6.1.2.  For  evaluation  by  the  Archivist  of  the  United  States,  or  his  or  her  designee, 
to  determine  if  a  record  has  such  historical  or  other  value. 

C4.2.6.2.  Records  transferred  to  a  Federal  Records  Center  (FRC)  for  safekeeping  and 
storage  do  not  fall  within  this  category.  These  records  are  owned  by  the  Component  and  remain 
under  the  control  of  the  transferring  Component.  FRC  personnel  are  considered  agents  of  the 
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Component  that  retains  control  over  the  records.  No  disclosure  accounting  is  required  for  the 
transfer  of  records  to  the  FRCs. 

C4.2.7.  Disclosures  for  Law  Enforcement  Purposes 

C4.2.7.1.  Records  may  be  disclosed  to  another  Agency  or  an  instrumentality  of  any 
Governmental  jurisdiction  within  or  under  control  of  the  United  States  for  a  civil  or  criminal  law 
enforcement  activity,  provided: 

C4.2.7. 1.1.  The  civil  or  criminal  law  enforcement  activity  is  authorized  by  law. 

C4.2.7.1.2.  The  head  of  the  law  enforcement  activity  or  a  designee  has  made  a  written 
request  specifying  the  particular  records  desired  and  the  law  enforcement  purpose  (such  as  criminal 
investigations,  enforcement  of  a  civil  law,  or  a  similar  purpose)  for  which  the  record  is  sought;  and. 

C4.2.7.1.3.  There  is  no  Federal  statute  that  prohibits  the  disclosure  of  the  records. 

C4.2.7.2.  Blanket  requests  for  any  and  all  records  pertaining  to  an  individual  shall  not  be 
honored  absent  justification. 

C4.2.7.3.  When  a  record  is  released  to  a  law  enforcement  activity  under  this  subparagraph, 
the  disclosure  accounting  (See  paragraph  C4.5  of  this  chapter)  for  the  release  shall  not  be  made 
available  to  the  individual  to  whom  the  record  pertains  if  the  law  enforcement  activity  requests  that 
the  disclosure  not  be  disclosed. 

C4.2.7.4.  The  blanket  routine  use  for  law  enforcement  (Appendix  3,  section  AP3. 1 .)  applies 
to  all  DoD  Component  systems  notices.  See  paragraph  C4.2.3.5.  of  this  Chapter.  This  permits 
Components,  on  their  own  initiative,  to  report  indications  of  violations  of  law  found  in  a  system  of 
records  to  a  law  enforcement  activity 

C4.2.7.5.  Disclosures  may  be  made  to  Federal,  State,  or  local  but  not  foreign  law 
enforcement  agencies.  Disclosures  to  Foreign  law  enforcement  agencies  may  be  made  if  a  routine 
use  has  been  established  for  the  system  of  records  from  which  the  records  are  to  be  released. 

C4.2.8.  Emergency  Disclosures 

C4.2.8. 1 .  Records  may  be  disclosed  if  disclosure  is  made  under  compelling  circumstances 
affecting  the  health  or  safety  of  any  individual.  The  affected  individual  need  not  be  the  subject  of 
the  record  disclosed. 

C4.2.8.2.  When  such  a  disclosure  is  made,  the  Component  shall  notify  the  individual  who 
is  the  subject  of  the  record.  Notification  sent  to  the  last  known  address  of  the  individual  as  known 
to  the  Component  is  sufficient. 

C4.2.8.3.  The  specific  data  to  be  disclosed  is  at  the  discretion  of  the  Component. 

C4.2.8.4.  Emergency  medical  information  may  be  released  by  telephone. 
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C4.2.9.  Disclosures  to  Congress 

C4.2.9.1.  Records  may  be  disclosed  to  either  House  of  the  Congress  or  to  any  committee, 
joint  committee  or  subcommittee  of  Congress  if  the  release  pertains  to  a  matter  within  the 
jurisdiction  of  the  committee.  Disclosure  is  only  authorized  when  in  response  to  an  official  request 
on  behalf  of  either  House,  committee,  subcommittee,  or  joint  committee. 

C4.2.9.2.  Requests  from  members  of  Congress  who  are  seeking  records  in  their  individual 
capacity  or  on  behalf  of  a  constituent . 

C4.2.9.2. 1 .  Requests  made  in  their  individual  capacity.  Request  for  records  shall  be 
processed  under  the  provisions  of  Reference  (d). 

C4.2.9.2.2.  Requests  made  on  behalf  of  constituents. 

C4.2.9.2.2. 1 .  The  blanket  routine  use  for  “Congressional  Inquiries”  (see  Appendix 
3,  section  AP3.4.)  applies  to  all  systems.  When  an  individual  requests  the  assistance  of  the 
Congressional  member,  the  blanket  routine  use  pennits  the  disclosure  of  records  pertaining  to  the 
individual  without  the  express  written  consent  of  the  individual. 

C4.2.9.2.2.2.  If  necessary,  accept  constituent  letters  requesting  a  member  of 
Congress  to  investigate  a  matter  pertaining  to  the  individual  as  written  authorization  to  provide 
access  to  the  records  to  the  congressional  member  or  his  or  her  staff. 

C4.2.9.2.2.3.  When  a  Congressional  inquiry  indicates  that  the  request  is  being  made 
on  the  basis  of  a  request  from  the  individual  to  whom  the  record  pertains,  consent  can  be  inferred, 
even  if  the  constituent  request  is  not  provided  the  Component.  The  verbal  statement  by  a 
Congressional  staff  member  is  acceptable  to  establish  that  a  request  has  been  received  by  the 
Member  of  Congress  from  the  person  to  whom  the  records  pertain. 

C4.2.9.2.2.4.  If  the  constituent  inquiry  is  being  made  on  behalf  of  someone  other 
than  the  individual  to  whom  the  record  pertains,  the  Member  of  Congress  shall  be  provided  only 
that  information  releasable  under  Reference  (d).  Advise  the  Congressional  member  that  the  written 
consent  of  the  individual  to  whom  the  record  pertains  is  required  before  any  additional  infonnation 
may  be  disclosed.  Do  not  contact  individuals  to  obtain  their  consents  for  release  to  Congressional 
members  unless  a  Congressional  office  specifically  requests  that  this  be  done. 

C4.2.9.2.2.5.  Nothing  in  subparagraph  C4.2.9.2.2.1.  of  this  Chapter  prohibits  a 
Component,  when  appropriate,  from  providing  the  record  directly  to  the  individual  and  notifying 
the  Congressional  office  that  this  has  been  done  without  providing  the  record  to  the  Congressional 
member. 

C4.2.9.3.  See  paragraph  C3.4.5.  of  Chapter  3  for  the  policy  on  assessing  fees  for  Members 
of  Congress. 
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C4.2.9.4.  Make  a  disclosure  accounting  each  time  a  record  is  disclosed  to  either  House  of 
Congress,  to  any  committee,  joint  committee,  or  subcommittee  of  Congress,  or  to  any 
congressional  member. 

C4.2.10.  Disclosures  to  the  General  Accountability  Office.  Records  may  be  disclosed  to  the 
Comptroller  General,  or  any  of  his  authorized  representatives,  in  the  course  of  the  performance  of 
the  duties  of  the  General  Accountability  Office. 

C4.2.11.  Disclosures  under  Court  Orders 

C4.2. 1 1 . 1 .  Records  may  be  disclosed  without  the  consent  of  the  person  to  whom  they 
pertain  under  a  court  order  signed  by  a  judge  of  a  court  of  competent  jurisdiction. 

C4.2. 1 1 .2.  When  a  record  is  disclosed  under  this  provision,  make  reasonable  efforts  to 
notify  the  individual  to  whom  the  record  pertains,  if  the  legal  process  is  a  matter  of  public  record. 

C4.2. 1 1 .3.  If  the  process  is  not  a  matter  of  public  record  at  the  time  it  is  issued,  seek 
information  as  to  when  the  process  is  to  be  made  public  and  make  reasonable  efforts  to  notify  the 
individual  at  that  time. 

C4.2. 1 1 .4.  Notification  sent  to  the  last  known  address  of  the  individual  as  reflected  in  the 
records  is  considered  a  reasonable  effort  to  notify. 

C4.2. 1 1 .5.  Make  a  disclosure  accounting  each  time  a  record  is  disclosed  under  a  court  order 
or  compulsory  legal  process. 

C4.2.12.  Disclosures  to  Consumer  Reporting  Agencies 

C4.2. 12.1.  Certain  personal  information  may  be  disclosed  to  consumer  reporting  agencies, 
as  provided  by  Reference  (k). 

C4.2. 12.2.  Upon  compliance  with  the  requirements  of  Reference  (k),  the  following 
information  may  be  disclosed  to  a  consumer  reporting  agency: 

C4.2. 12.2.1.  Name,  address,  taxpayer  identification  number  (SSN),  and  other 
infonnation  necessary  to  establish  the  identity  of  the  individual. 

C4.2. 12.2.2.  The  amount,  status,  and  history  of  the  claim. 

C4. 2. 12.2.3.  The  Agency  or  program  under  which  the  claim  arose. 

C4.2. 12.3.  Reference  (k)  requires  that  the  system  notice  for  the  system  of  records  from 
which  the  information  will  be  disclosed  indicate  that  the  infonnation  may  be  disclosed  to  a 
consumer  reporting  agency. 
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C4.3.  DISCLOSURES  TO  COMMERCIAL  ENTERPRISES 

C4.3.1.  General  Policy 

C4.3. 1 . 1 .  Make  releases  of  personal  information  as  authorized  under  the  criteria  established 
by  Reference  (d). 

C4.3. 1 .2.  The  relationship  of  commercial  enterprises  to  their  clients  or  customers  and  to  the 
Department  of  Defense  is  not  changed  by  this  Regulation. 

C4.3. 1 .3.  The  DoD  policy  on  personal  indebtedness  for  military  personnel  is  contained  in 
DoD  Directive  1344.9  (Reference  (t))  and  for  civilian  employees  in  Part  735  of  Reference  (e). 

C4.3.2.  Release  of  Personal  Infonnation 

C4.3.2. 1 .  Any  information  that  must  be  released  under  Reference  (d)  may  be  released  to  a 
commercial  enterprise  without  the  individual’s  consent.  See  paragraph  C4.2.2.  of  this  Chapter. 

C4.3.2.2.  Commercial  enterprises  may  present  a  signed  consent  statement  setting  forth 
specific  conditions  for  release  of  personal  information.  Statements  such  as  the  following,  if  signed 
by  the  individual,  are  considered  valid: 

“I  hereby  authorize  the  Department  of  Defense  to  verify  my  Social  Security  Number  or  other 
identifying  information,  and  to  disclose  my  home  address  and  telephone  number  to  authorized 
representatives  of  [name  of  commercial  enterprise],  so  that  they  may  use  this  information  in 
connection  with  my  commercial  dealings  with  that  enterprise.  All  information  furnished  shall  be 
used  in  connection  with  my  financial  relationship  with  [name  of  commercial  enterprise].” 

C4.3.2.3.  When  a  statement  of  consent  as  outlined  in  paragraph  C4.3.2.2.  of  this  Chapter  is 
presented,  provide  the  requested  information,  if  its  release  is  not  prohibited  by  some  other 
regulation  or  statute. 

C4.3.2.4.  Blanket  statements  of  consent  that  do  not  identify  the  Department  of  Defense  or 
any  of  its  Components,  or  that  do  not  specify  exactly  the  type  of  information  to  be  released,  may  be 
honored  if  it  is  clear  that  the  individual  in  signing  the  consent  statement  intended  to  obtain  a 
personal  benefit  (for  example,  a  loan  to  buy  a  house)  and  was  aware  of  the  type  infonnation  that 
would  be  sought.  Care  should  be  exercised  in  these  situations  to  release  only  the  minimum  amount 
of  personal  information  essential  to  obtain  the  benefit  sought. 

C4.3.2.5.  Do  not  honor  requests  from  commercial  enterprises  for  official  evaluation  of 
personal  characteristics,  such  as  evaluation  of  personal  financial  habits. 

C4.4.  DISCLOSURES  TO  THE  PUBLIC  FROM  MEDICAL  RECORDS 

C4.4. 1 .  Disclosures  from  medical  records  are  not  only  governed  by  the  requirement  of  this 
regulation  but  also  by  the  disclosure  provisions  of  Reference  (o). 
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C4.4.2.  Any  medical  records  that  are  subject  to  both  this  regulation  and  Reference  (o)  may 
only  be  disclosed  if  disclosure  is  authorized  under  both  regulations.  If  disclosure  is  permitted  under 
this  Regulation  (e.g.,  pursuant  to  a  routine  use),  but  the  disclosure  is  not  authorized  under 
Reference  (o),  disclosure  is  not  authorized.  If  a  disclosure  is  authorized  under  Reference  (o)  (e.g., 
releases  outside  the  Department  of  Defense),  but  the  disclosure  is  not  authorized  under  this 
regulation,  disclosure  is  not  authorized. 


C4.5.  DISCLOSURE  ACCOUNTING 
C4.5.1.  Disclosure  Accountings 

C4.5. 1 . 1 .  Keep  an  accurate  record  of  all  disclosures  made  from  any  system  of  records 
except  disclosures: 

C4.5. 1 .1.1.  To  DoD  personnel  for  use  in  the  performance  of  their  official  duties;  or 
C4.5.1.1.2.  Under  Reference  (p). 

C4.5.1.2.  In  all  other  cases,  a  disclosure  accounting  is  required,  even  if  the  individual  has 
consented  to  the  disclosure  of  the  information. 

C4.5.1.3.  Disclosure  accountings: 

C4.5. 1 .3.1.  Permit  individuals  to  determine  to  whom  information  has  been  disclosed; 

C4.5. 1 .3.2.  Enable  the  activity  to  notify  past  recipients  of  disputed  or  corrected 
information  (paragraphs  C3.3.9.  of  Chapter  3);  and 

C4.5. 1 .3.3.  Provide  a  method  of  detennining  compliance  with  paragraph  C4. 1.3.  of  this 
Chapter. 

C4.5.2.  Contents  of  Disclosure  Accounts.  At  a  minimum,  disclosure  accounting  shall  contain: 
C4.5.2.1.  The  date  of  the  disclosure; 

C4.5.2.2.  A  description  of  the  information  released; 

C4.5.2.3.  The  purpose  of  the  disclosure;  and 

C4.5.2.4.  The  name  and  address  of  the  person  or  Agency  to  whom  the  disclosure  was 

made. 

C4.5.3.  Methods  of  Disclosure  Accounting.  Use  any  system  of  disclosure  accounting  that  shall 
provide  readily  the  necessary  disclosure  information.  See  paragraph  C4.5.1.3.  of  this  Chapter. 
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C4.5.4.  Accounting  for  Mass  Disclosures.  When  numerous  similar  records  are  released, 
identify  the  category  of  records  disclosed  and  include  the  data  required  by  paragraph  C4.5.2.  of  this 
Chapter  in  a  form  that  can  be  used  to  construct  an  accounting  disclosure  record  for  individual 
records  if  required.  See  subparagraph  C4.5.1.3.  of  this  Chapter. 

C4.5.5.  Disposition  of  Disclosure  Accounting  Records.  Retain  disclosure  accounting  records 
for  5  years  after  the  disclosure  or  the  life  of  the  record,  whichever  is  longer. 

C4.5.6.  Furnishing  Disclosure  Accountings  to  the  Individual 

C4.5.6.1.  Make  available  to  the  individual  to  whom  the  record  pertains  all  disclosure 
accountings  except  when: 

C4.5.6. 1.1.  The  disclosure  has  been  made  to  a  law  enforcement  activity  under 
paragraph  C4.2.7.  of  this  Chapter  and  the  law  enforcement  activity  has  requested  that  disclosure  not 
be  made;  or 

C4.5.6.1.2.  The  system  of  records  has  been  exempted  from  the  requirement  to  furnish 
the  disclosure  accounting  under  the  provisions  of  paragraph  C5.1.2.  of  Chapter  5. 

C4.5.6.2.  If  disclosure  accountings  are  not  maintained  with  the  record  and  the  individual 
requests  access  to  the  accounting,  prepare  a  listing  of  all  disclosures.  See  paragraph  C4.5.2.  this 
Chapter,  and  provide  this  to  the  individual  upon  request. 
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C5.  CHAPTER  5 
EXEMPTIONS 

C5.1.  USE  AND  ESTABLISHMENT  OF  EXEMPTIONS 
C5.1.1.  Types  of  Exemptions 

C5.1. 1.1.  There  are  three  types  of  exemptions  pennitted  by  Reference  (b). 

C5.1. 1.1. 1.  An  access  exemption  (section  552a(d)(5)  of  (Reference  (b))  that  exempts 
records  compiled  in  reasonable  anticipation  of  a  civil  action  or  proceeding  from  the  access 
provisions  of  the  Act. 

C5.1. 1.1.2.  General  exemptions  (section  552a(j)  of  Reference  (b))  that  authorize  the 
exemption  of  a  system  of  records  from  all  but  certain  specifically  identified  provisions  of  the  Act 
See  Appendix  4. 

C5. 1.1. 1.3.  Specific  exemptions  (section  552(k)  of  Reference  (b))  that  allow  a  system 
of  records  to  be  exempted  only  from  certain  designated  provisions  of  the  Act.  See 
Appendix  4. 

C5.1. 1.2.  Nothing  in  the  Act  permits  exemption  of  any  system  of  records  from  all 
provisions  of  the  Act. 

C5.1.2.  Establishing  Exemptions 

C5. 1.2.1.  The  access  exemption  is  self-executing.  It  does  not  require  an  implementing  rule 
to  be  effective. 

C5. 1.2.2.  Neither  a  general  nor  a  specific  exemption  is  established  automatically  for  any 
system  of  records.  The  Heads  of  the  DoD  Components  maintaining  the  system  of  records  must 
make  a  determination  whether  the  system  is  one  for  which  an  exemption  properly  may  be  claimed 
and  then  propose  and  establish  an  exemption  rule  for  the  system.  No  system  of  records  within  the 
Department  of  Defense  shall  be  considered  exempted  until  the  Head  of  the  Component  has 
approved  the  exemption  and  an  exemption  rule  has  been  published  as  a  final  rule  in  the  Federal 
Register.  See  paragraph  C6. 1 .5.  of  Chapter  6. 

C5.1.2.3.  Only  the  Head  of  the  DoD  Component  or  an  authorized  designee  may  claim  an 
exemption  for  a  system  of  records. 

C5. 1.2.4.  A  system  of  records  is  considered  exempt  only  from  those  provision  of  Reference 
(b)  that  are  identified  specifically  in  the  Component  exemption  rule  for  the  system  and  that  are 
authorized  by  Reference  (b). 

C5.1.2.5.  To  establish  an  exemption  rule,  see  paragraph  C6.2.1.  of  Chapter  6. 
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C5.1.3.  Blanket  Exemption  for  Classified  Material 

C5. 1.3.1.  Component  rules  shall  include  a  blanket  exemption  under  section  552a(k)(l) 
(Reference  (b))  from  the  access  provisions  (section  552a(d)  of  Reference  (b)),  and  the  notification 
of  access  procedures  (section  552a(e)(4)(H)  of  Reference  (b))  for  all  classified  material  in  any 
systems  of  records  maintained. 

C5. 1.3.2.  Do  not  claim  specifically  an  exemption  under  section  552a(k)(l)  (Reference  (b)) 
for  any  system  of  records.  The  blanket  exemption  affords  protection  to  all  classified  material  in  all 
system  of  records  maintained. 

C5.1.4.  Provisions  From  Which  Exemptions  May  Be  Claimed.  The  Head  of  a  DoD 
Component  may  claim  an  exemption  from  any  provision  of  the  Act  from  which  an  exemption  is 
allowed.  See  Appendix  4. 

C5.1.5.  Use  of  Exemptions 

C5. 1.5.1.  Use  exemptions  only  for  the  specific  purposes  set  forth  in  the  exemption  rules. 
See  paragraph  C6.2.2.  of  Chapter  6. 

C5. 1.5.2.  Use  exemptions  only  when  they  are  in  the  best  interest  of  the  Government,  and 
limit  them  to  the  specific  portions  of  the  records  requiring  protection. 

C5.1.5.3.  Do  not  use  an  exemption  to  deny  an  individual  access  to  any  record  to  which  he 
or  she  would  have  access  under  (Reference  (d)). 

C5.1.6.  Exempt  Records  in  Non-Exempt  Systems 

C5. 1 .6. 1 .  Exempt  records  temporarily  in  the  custody  of  another  Component  are  considered 
the  property  of  the  originating  Component.  Access  to  these  records  is  controlled  by  the  system 
notices  and  rules  of  the  originating  Component. 

C5. 1.6.2.  Exempt  records  that  have  been  incorporated  into  a  non-exempt  system  of  records 
are  still  exempt,  but  only  to  the  extent  to  which  the  provisions  of  the  Act  for  which  an  exemption 
has  been  claimed  are  identified  and  an  exemption  claimed  for  the  system  of  records  from  which  the 
record  is  obtained  and  only  when  the  purposes  underlying  the  exemption  for  the  record  are  still 
valid  and  necessary  to  protect  the  contents  of  the  record. 

C5.1.6.3.  If  a  record  is  accidentally  misfiled  into  a  system  of  records,  the  system  notice  and 
rules  for  the  system  in  which  it  should  actually  be  filed  shall  govern. 
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C5.2.  ACCESS  EXEMPTION 

C5.2. 1 .  An  individual  is  not  entitled  to  access  information  that  is  compiled  in  reasonable 
anticipation  of  a  civil  action  or  proceeding. 

C5.2.2.  The  term  “civil  action  or  proceeding”  is  intended  to  include  court  proceedings, 
preliminary  judicial  steps,  and  quasi-judicial  administrative  hearings  or  proceedings  (i.e., 
adversarial  proceedings  that  are  subject  to  rules  of  evidence). 

C5.2.3.  Any  information  prepared  in  anticipation  of  such  actions  or  proceedings,  to  include 
information  prepared  to  advise  the  DoD  Component  officials  of  the  possible  legal  or  other 
consequences  of  a  given  course  of  action,  is  protected. 

C5.2.4.  The  exemption  is  similar  to  the  attorney  work-product  privilege,  except  that  it  applies 
even  when  the  information  is  prepared  by  non-attomeys. 

C5.2.5.  The  exemption  does  not  apply  to  information  compiled  in  anticipation  of  criminal 
actions  or  proceedings. 


C5.3.  GENERAL  EXEMPTIONS 

C5.3. 1 .  A  DoD  Component  is  not  authorized  to  claim  the  exemption  for  records  maintained  by 
the  Central  Intelligence  Agency  established  by  section  552a(j)(l)  of  Reference  (b). 

C5.3.2.  The  general  exemption  established  by  section  552a(j)(2)  of  Reference  (b)  may  be 
claimed  to  protect  investigative  records  created  and  maintained  by  law-enforcement  activities  of  a 
DoD  Component. 

C5.3.3.  To  qualify  for  the  (j)(2)  exemption,  the  system  of  records  must  be  maintained  by  a 
DoD  Component,  or  element  thereof,  that  performs  as  its  principal  function  any  activity  pertaining 
to  the  enforcement  of  criminal  laws,  such  as  the  U.S.  Army  Criminal  Investigation  Command,  the 
Naval  Criminal  Investigative  Service,  the  Air  Force  Office  of  Special  Investigations,  and  military 
police  activities.  However,  where  DoD  offices  perform  multiple  functions,  but  have  an 
investigative  Component  in  which  law  enforcement  is  the  principal  function,  such  as  the  DoD 
Inspector  General  Defense  Criminal  Investigative  Service,  or  Criminal  Law  Divisions  of  Staff 
Judge  Advocates  Offices,  the  exemption  may  be  claimed.  Law  enforcement  includes  police  efforts 
to  detect,  prevent,  control,  or  reduce  crime;  to  apprehend  or  identify  criminals;  and  the  activities  of 
military  trial  counsel,  correction,  probation,  pardon,  or  parole  authorities. 

C5.3.4.  Infonnation  that  may  be  protected  under  the  (j)(2)  exemption  includes: 

C5.3.4.1.  Records  compiled  for  the  purpose  of  identifying  criminal  offenders  and  alleged 
offenders  consisting  only  of  identifying  data  and  notations  of  arrests,  the  nature  and  disposition  of 
criminal  charges,  sentencing,  confinement,  release,  parole,  and  probation  status  (so-called  criminal 
history  records). 


51 


CHAPTER  5 


DoD  5400.11-R,  May  14,  2007 


C5.3.4.2.  Reports  and  other  records  compiled  during  criminal  investigations,  to  include 
supporting  documentation. 

C5.3.4.3.  Other  records  compiled  at  any  stage  of  the  criminal  law  enforcement  process 
from  arrest  or  indictment  through  the  final  release  from  parole  supervision,  such  as  pre-sentence 
and  parole  reports. 

C5.3.5.  The  (j)(2)  exemption  does  not  apply  to: 

C5.3.5. 1 .  Investigative  records  prepared  or  maintained  by  activities  without  primary  law- 
enforcement  missions.  It  may  not  be  claimed  by  any  activity  that  does  not  have  law  enforcement  as 
its  principal  function  except  as  indicated  in  subparagraph  C5.3.3. 

C5.3.5.2.  Investigative  records  compiled  by  any  activity  concerning  employee  suitability, 
eligibility,  qualification,  or  for  individual  access  to  classified  material  regardless  of  the  principal 
mission  of  the  compiling  DoD  Component. 


C5.4.  SPECIFIC  EXEMPTIONS 

C5.4.1.  The  specific  exemption  established  by  section  552a(k)  of  Reference  (b)  may  be 
claimed  to  protect  records  that  meet  the  following  criteria  (parenthetical  References  are  to  the 
appropriate  subsection  of  Reference  (b)): 

C5.4.1.1.  (k)(l).  Information  that  is  subject  to  section  552(b)(1)  of  Reference  (p).  (See 
also  paragraph  C5.1.3  of  this  Chapter.) 

C5.4. 1 .2.  (k)(2).  Investigatory  infonnation  compiled  for  law  enforcement  purposes,  other 
than  information  that  is  covered  by  the  general  exemption  (subparagraph  C5.3.  of  this  Chapter).  If 
an  individual  is  denied  any  right,  privilege,  or  benefit  that  he  or  she  is  otherwise  entitled  by  Federal 
law,  or  for  which  he  or  she  would  otherwise  be  eligible  as  a  result  of  the  maintenance  of  the 
information,  the  individual  shall  be  provided  access  to  the  infonnation  except  to  the  extent  that 
disclosure  would  reveal  the  identity  of  a  confidential  source.  This  exemption  provides  limited 
protection  of  investigative  reports  maintained  in  a  system  of  records  used  in  personnel  or 
administrative  actions. 

C5.4. 1.2.1.  The  information  must  be  compiled  for  some  investigative  law  enforcement 
purpose,  such  as  a  criminal  investigation  by  a  DoD  office,  whose  principal  function  is  not  law 
enforcement,  or  a  civil  investigation. 

C5.4. 1 .2.2.  The  exemption  does  not  apply  to  investigations  conducted  solely  for  the 
purpose  of  a  routine  background  investigation  (see  subparagraph  C5.4.1.5.  of  this  Chapter),  but  will 
apply  if  the  investigation  is  for  the  purpose  of  investigating  DoD  personnel  who  are  suspected  of 
violating  statutory  or  regulatory  authority. 
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C5.4. 1 .2.3.  The  exemption  can  continue  to  be  claimed  even  after  the  investigation  has 
concluded  and  there  is  no  future  likelihood  of  further  enforcement  proceedings. 

C5.4. 1 .3  (k)(3).  Records  maintained  in  connection  with  providing  protective  services  to  the 
President  and  other  individuals  under  section  3056  of  18  U.S.C.  (Reference  (u)). 

C5.4. 1 .4.  (k)(4).  Records  maintained  solely  for  statistical  research  or  program  evaluation 
purposes  and  that  are  not  used  to  make  decisions  on  the  rights,  benefits,  or  entitlement  of  an 
individual  except  for  census  records  that  may  be  disclosed  under  Reference  (s). 

C5.4. 1 .5.  (k)(5).  Investigatory  material  compiled  solely  for  the  purpose  of  determining 
suitability,  eligibility,  or  qualifications  for  Federal  civilian  employment,  military  service,  Federal 
contracts,  or  access  to  classified  infonnation,  but  only  to  the  extent  such  material  would  reveal  the 
identity  of  a  confidential  source. 

C5.4. 1.5.1.  This  exemption  permits  protection  of  confidential  sources  used  in 
background  investigations,  employment  inquiries,  and  similar  inquiries  that  are  for  personnel 
screening  to  determine  suitability,  eligibility,  or  qualifications. 

C5.4. 1 .5.2.  This  exemption  is  applicable  not  only  to  investigations  conducted  prior  to 
the  hiring  of  an  employee,  but  it  also  applies  to  investigations  conducted  to  determine  continued 
employment  suitability  or  eligibility. 

C5.4. 1 .6.  (k)(6).  Testing  or  examination  material  used  solely  to  determine  individual 
qualifications  for  appointment  or  promotion  in  the  Federal  or  military  service,  if  the  disclosure 
would  compromise  the  objectivity  or  fairness  of  the  test  or  examination  process. 

C5.4. 1 .7.  (k)(7).  Evaluation  material  used  to  determine  potential  for  promotion  in  the 
Military  Services,  but  only  to  the  extent  that  the  disclosure  of  such  material  would  reveal  the 
identity  of  a  confidential  source. 

C5.4.2.  Promises  of  Confidentiality 

C5.4.2. 1 .  Only  the  identity  of  sources  that  have  been  given  an  express  promise  of 
confidentiality  may  be  protected  from  disclosure  under  paragraphs  C5.4.1.2.,  C5.4.1.5.,  and 
C5.4. 1 .7.  However,  the  identity  of  sources  who  were  given  implied  promises  of  confidentiality  in 
inquiries  conducted  before  September  27,  1975,  also  may  be  protected  from  disclosure. 

C5.4.2.2.  Ensure  that  promises  of  confidentiality  are  not  automatically  given  but  are  used 
sparingly.  Establish  appropriate  procedures  and  identify  fully  categories  of  individuals  who  may 
make  such  promises.  Promises  of  confidentiality  shall  be  made  only  when  they  are  essential  to 
obtain  the  information  sought  (see  Part  736  of  Reference  (e)). 

C5.4.3.  Access  to  Records  for  which  Specific  Exemptions  are  Claimed.  Deny  the  individual 
access  only  to  those  portions  of  the  records  for  which  the  claimed  exemption  applies. 
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C6.  CHAPTER  6 


PUBLICATION  REQUIREMENTS 
C6.1.  FEDERAL  REGISTER  PUBLICATION 


C6.1.1.  What  Must  Be  Published  in  the  Federal  Register? 

C6. 1.1.1.  Four  types  of  documents  relating  to  the  Privacy  Program  must  be  published  in  the 
Federal  Register: 


C6.1. 1.1.1. 
C6.1. 1.1.2. 
C6.1. 1.1.3. 
C6.1. 1.1.4. 


DoD  Component  Privacy  Procedural  rules. 
DoD  Component  exemption  rules. 

System  notices. 

Match  notices  (see  Chapter  11). 


C6. 1.1.2.  See  DoD  5025. 1-M  (Reference  (v))  and  Administrative  Instruction  No.  102 
(Reference  (w))  for  information  pertaining  to  the  preparation  of  documents  for  publication  in  the 
Federal  Register. 


C6.1.2.  The  Effect  of  Publication  in  the  Federal  Register.  Publication  of  a  document  in  the 
Federal  Register  constitutes  official  public  notice  of  the  existence  and  content  of  the  document. 

C6.1.3.  DoD  Component  Rules 


C6. 1.3.1.  Component  Privacy  Program  procedures  and  Component  exemption  rules  are 
subject  to  the  rulemaking  procedures  prescribed  in  Reference  (w). 


C6. 1 .3.2.  System  notices  are  not  subject  to  formal  rulemaking  and  are  published  in  the 
Federal  Register  as  “Notices,”  not  rules. 


C6.1.3.3.  Privacy  procedural  and  exemption  rules  are  incorporated  automatically  into  the 
CFR.  System  notices  are  not  published  in  the  CFR. 


C6.1.4.  Submission  of  Rules  for  Publication 


C6. 1.4.1.  Submit  to  the  Defense  Privacy  Office,  Office  of  the  Director  of  Administration 
and  Management,  all  proposed  rules  implementing  this  Regulation  in  proper  format.  See 
References  (v)  and  (w))  for  publication  in  the  Federal  Register. 

C6. 1.4.2.  This  Regulation  has  been  published  as  a  final  rule  in  the  Federal  Register  (32 
CFR  part  310).  Therefore,  incorporate  it  into  your  Component  rules  by  reference,  rather  than  by 
re-publication  (see  Reference  (w)). 
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C6. 1 .4.3.  DoD  Component  procedural  rules  that  simply  implement  this  Regulation  need 
only  be  published  as  final  rules  in  the  Federal  Register  (see  References  (v)  and  (w)).  But,  if  the 
Component  procedural  rule  supplements  the  Regulation  in  any  manner,  they  must  be  published  as 
proposed  rule  before  being  published  as  a  final  rule. 

C6. 1.4.4.  Amendments  to  Component  rules  are  submitted  like  the  basic  rules. 

C6.1.4.5.  The  Defense  Privacy  Office  submits  the  rules  and  amendments  thereto  to  the 
Federal  Register  for  publication. 

C6.1.5.  Submission  of  Exemption  Rules  for  Publication 

C6. 1.5.1.  No  system  of  records  within  the  Department  of  Defense  shall  be  considered 
exempt  from  any  provision  of  this  Regulation  until  the  exemption  and  the  exemption  rule  for  the 
system  has  been  published  as  a  final  rule  in  the  Federal  Register. 

C6. 1 .5.2.  Submit  exemption  rules  in  proper  format  to  the  Defense  Privacy  Office.  All 
exemption  rules  are  coordinated  with  the  Office  of  General  Counsel  of  the  Department  of  Defense. 
After  coordination,  the  Defense  Privacy  Office  shall  submit  the  rules  to  the  Federal  Register  for 
publication. 

C6. 1.5.3.  Exemption  rules  require  publication  both  as  proposed  rules  and  final  rules.  See 
Reference  (w). 

C6. 1.5.4.  Section  C6.2.2.  of  this  Chapter  discusses  the  content  of  an  exemption  rule. 

C6.1.5.5.  Submit  amendments  to  exemption  rules  in  the  same  manner  used  for  establishing 
these  rules. 

C6.1.6.  Submission  of  System  Notices  for  Publication 

C6. 1.6.1.  System  notices  are  not  subject  to  fonnal  rulemaking  procedures.  However, 
Reference  (b)  requires  that  a  system  notice  be  published  in  the  Federal  Register  of  the  existence  and 
character  of  a  new  or  altered  system  of  records.  Until  publication  of  the  notice,  DoD  Components 
shall  not  begin  to  operate  the  system  of  records  (i.e.,  collect  and  use  the  information).  The  notice 
procedures  require  that: 

C6. 1 .6. 1 . 1 .  The  system  notice  describes  what  kinds  of  records  are  in  the  system,  on 
whom  they  are  maintained,  what  uses  are  made  of  the  records,  and  how  an  individual  may  access, 
or  contest,  the  records  contained  in  the  system. 

C6. 1 .6. 1 .2.  The  public  be  given  30  days  to  comment  on  any  proposed  routine  uses 
before  any  disclosures  are  made  pursuant  to  the  routine  use;  and 

C6. 1 .6. 1 .3.  The  notice  contain  the  date  on  which  the  system  shall  become  effective. 
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C6. 1 .6.2.  Submit  system  notices  to  the  Defense  Privacy  Office  in  the  Federal  Register 
format  (see  Reference  (w)  and  Appendix  5).  The  Defense  Privacy  Office  transmits  the  notices  to 
the  Federal  Register  for  publication. 

C6.1.6.3.  Section  C6.3.  of  this  Chapter  discusses  the  specific  elements  required  in  a  system 

notice. 


C6.2.  EXEMPTION  RULES 

C6.2.1.  General  Procedures.  Chapter  5  provides  the  general  guidance  for  establishing 
exemptions  for  systems  of  records. 

C6.2.2.  Contents  of  Exemption  Rules 

C6.2.2. 1 .  Each  exemption  rule  submitted  for  publication  must  contain  the  following: 

C6.2.2. 1 . 1 .  The  record  system  identifier  and  system  name  of  the  system  for  which  the 
exemption  is  claimed.  (See  paragraphs  C6.3.2  and  C6.3.3  of  this  Chapter.) 

C6.2.2.1.2.  The  specific  sections  of  Reference  (b)  under  which  the  exemption  for  the 
system  is  claimed  (for  example,  sections  552a(j)(2),  552a(k)(3),  or  552a(k)(7)  of  Reference  (b)). 

C6.2.2.1.3.  The  specific  sections  of  Reference  (b)  from  which  the  system  is  to  be 
exempted  (for  example,  sections  552a(c)(3)  or  552a(d)(l)-(5)  of  Reference  (b))  (see  Appendix  4)). 

C6.2.2.1.4.  The  specific  reasons  why  an  exemption  is  being  claimed  from  each  section 
of  the  Act  identified. 

C6.2.2.2.  Do  not  claim  an  exemption  for  classified  material  for  individual  systems  of 
records.  The  blanket  exemption  applies.  (See  paragraph  C5.1.3  of  Chapter  5.) 


C6.3.  SYSTEM  NOTICES 

C6.3.1.  Contents  of  the  System  Notices 

C6.3. 1 . 1 .  The  following  data  captions  are  included  in  each  system  notice: 
C6.3. 1 .1.1.  Systems  identifier.  (See  paragraph  C6.3.2.  of  this  Chapter.) 
C6.3.1.1.2.  System  name.  (See  paragraph  C6. 3. 3.  of  this  Chapter.) 
C6.3.1.1.3.  System  location.  (See  paragraph  C6. 3. 4  of  this  Chapter.) 
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C6.3. 1 . 1 .4.  Categories  of  individuals  covered  by  the  system.  (See  paragraph  C6.3.5.  of 
this  Chapter.) 

C6.3.1.1.5.  Categories  of  records  in  the  system.  (See  paragraph  C6.3.6.  of  this 

Chapter.) 

C6.3. 1 . 1 .6.  Authority  for  maintenance  of  the  system.  (See  paragraph  C6.3.7.  of  this 

Chapter.) 


C6.3.1.1.7.  Purpose(s).  (See  paragraph  C6.3.8.  of  this  Chapter.) 

C6.3. 1 . 1.8.  Routine  uses  of  records  maintained  in  the  system,  including  categories  of 
users  and  the  purposes  of  such  uses.  (See  paragraph  C6.3.9.  of  this  Chapter.) 

C6.3. 1 . 1 .9.  Disclosure  to  Consumer  Reporting  Agencies.  This  element  is  optional  but 
required  when  disclosing  to  consumer  reporting  agencies.  (See  paragraph  C4.2.12  of  Chapter  4.) 

C6.3.1.1.10.  Policies  and  practices  for  storing,  retrieving,  accessing,  retaining,  and 
disposing  of  records  in  the  system.  (See  paragraph  C6.3. 10.  of  this  Chapter.) 

C6.3. 1 .1.11.  Systems  manager(s)  and  address.  (See  paragraph  C6.3. 1 1 .  of  this 

Chapter.) 


C6.3.1.1.12.  Notification  procedure.  (See  paragraph  C6. 3. 12.  of  this  Chapter.) 
C6.3.1.1.13.  Record  access  procedures.  (See  paragraph  C6. 3. 13.  of  this  Chapter.) 
C6.3.1.1.14.  Contesting  records  procedures.  (See  paragraph  C6. 3. 14.  of  this  Chapter.) 
C6.3.1.1.15.  Record  source  categories.  (See  paragraph  C6. 3. 15.  of  this  Chapter.) 
C6.3.1.1.16.  Exemptions  claimed  for  the  system.  (See  paragraph  C6.3.16.  of  this 

Chapter.) 

C6.3. 1 .2.  The  captions  listed  in  subparagraph  C6.3. 1 . 1 .  of  this  Chapter  have  been  mandated 
by  the  Office  of  the  Federal  Register  and  must  be  used  exactly  as  presented. 

C6.3. 1 .3.  A  sample  system  notice  is  shown  in  Appendix  5. 

C6.3.2.  System  Identifier.  The  system  identifier  must  appear  on  all  system  notices  and  is 
limited  to  120  positions,  unless  an  exception  is  granted  by  the  Defense  Privacy  Office,  including 
Component  code,  file  number  and  symbols,  punctuation,  and  spacing. 
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C6.3.3.  System  Name 

C6.3.3.1.  The  name  of  the  system  reasonably  identifies  the  general  purpose  of  the  system 
and,  if  possible,  the  general  categories  of  individuals  involved. 

C6.3.3.2.  Use  acronyms  only  parenthetically  following  the  title  or  any  portion  thereof,  such 
as,  “Defense  Civilian  Payroll  System  (DCPS).”  Do  not  use  acronyms  that  are  not  commonly 
known  unless  they  are  preceded  by  an  explanation. 

C6.3.3.3.  The  system  name  may  not  exceed  55  character  positions,  unless  an  exception  is 
granted  by  the  Defense  Privacy  Office,  including  punctuation  and  spacing. 

C6.3.3.4.  The  system  name  should  not  be  the  name  of  the  database  or  the  IT  system  if  the 
name  does  not  meet  the  criteria  in  subparagraph  C6.3.3.1. 

C6.3.4.  System  Location 

C6.3.4.1.  For  systems  maintained  in  a  single  location  provide  the  exact  office  name, 
organizational  identity,  and  address. 

C6.3.4.2.  For  geographically  or  organizationally  decentralized  systems,  specify  each  level 
of  organization  or  element  that  maintains  a  segment  of  the  system,  to  include  their  mailing  address, 
or  indicate  that  the  official  mailing  addresses  are  published  as  an  Appendix  to  the  Component’s 
compilation  of  system  of  records  notices,  or  provide  an  address  where  a  complete  listing  of 
locations  can  be  obtained. 

C6.3.4.3.  Use  the  standard  U.S.  Postal  Service  two-letter  State  abbreviation  symbols  and  9- 
digit  Zip  Codes  for  all  domestic  addresses. 

C6.3.5.  Categories  of  Individuals  Covered  by  the  System 

C6.3.5. 1 .  Set  forth  the  specific  categories  of  individuals  to  whom  records  in  the  system 
pertain  in  clear,  easily  understood,  non-technical  terms. 

C6.3.5.2.  Avoid  the  use  of  broad  over-general  descriptions,  such  as  “all  Army  personnel14 
or  “all  military  personnel”  unless  this  actually  reflects  the  category  of  individuals  involved. 

C6.3.6.  Categories  of  Records  in  the  System 

C6.3.6.1.  Describe  in  clear,  non-technical  terms  the  types  of  records  maintained  in  the 

system. 


C6.3.6.2.  Only  documents  actually  maintained  in  the  system  of  records  shall  be  described, 
not  source  documents  that  are  used  only  to  collect  data  and  then  destroyed. 
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C6.3.7.  Authority  for  Maintenance  of  System 

C6.3.7. 1 .  Cite  the  specific  provision  of  the  Federal  statute  or  Executive  Order  that 
authorizes  the  maintenance  of  the  system. 

C6.3.7.2.  Include  with  citations  for  statutes  the  popular  names,  when  appropriate  (for 
example,  Section  2103  of  title  51,  United  States  Code,  “Tea-Tasters  Licensing  Act”),  and  for 
Executive  Orders,  the  official  title  (for  example,  Executive  Order  No.  9397,  “Numbering  System 
for  Federal  Accounts  Relating  to  Individual  Persons”). 

C6.3.7.3.  If  direct  statutory  authority  or  an  Executive  Order  does  not  exist,  indirect 
statutory  authority  may  be  cited  if  the  authority  requires  the  operation  or  administration  of  a 
program,  the  execution  of  which  will  require  the  collection  and  maintenance  of  a  system  of 
records. 

C6.3.7.4.  If  direct  or  indirect  authority  does  not  exist,  the  DoD,  as  well  as  the  Army,  Navy, 
and  Air  Force  general  “housekeeping”  statutes  (e.g.,  section  301  of  5  U.S.C.  (Reference  (x)  and 
Sections  3013,  5013,  and  8013  of  Reference  (r))  may  be  cited  if  the  Secretary,  or  those  offices  to 
which  responsibility  has  been  delegated,  are  required  to  collect  and  maintain  systems  of  records  in 
order  to  discharge  assigned  responsibilities.  If  the  housekeeping  statute  is  cited,  the  regulatory 
authority  implementing  the  statute  within  the  Department  of  Defense  or  Component  also  shall  be 
identified. 

C6.3.7.5.  If  the  SSN  is  being  collected  and  maintained,  Executive  Order  9397  (Reference 
(1))  shall  be  cited. 

C6.3.8.  Purpose  or  Purposes 

C6.3.8. 1 .  List  the  specific  purposes  for  maintaining  the  system  of  records  by  the 
Component. 

C6.3.8.2.  All  internal  uses  of  the  information  within  the  Department  or  Component  shall  be 
identified.  Such  uses  are  the  so-called  “internal  routine  uses.” 

C6.3.9.  Routine  Uses 

C6.3.9.1.  Except  as  otherwise  authorized  by  Chapter  4  of  this  Regulation,  disclosure  of 
information  from  a  system  of  records  to  any  person  or  entity  outside  the  Department  of  Defense 
(See  subparagraph  C4. 1 .2)  may  only  be  made  pursuant  to  a  routine  use  that  has  been  established  for 
the  specific  system  of  records. 

C6.3.9.2.  Each  routine  use  shall  include  to  whom  the  infonnation  is  being  disclosed  and 
what  use  and  purpose  the  information  will  be  used.  Routine  uses  shall  be  written  as  follows: 
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C6.3.9.2. 1 .  “To. . .  .[person  or  entity  outside  of  DoD  that  will  receive  the  information] 
to. . . .[what  will  be  done  with  the  information]  for  the  purpose(s)  of . . . [what  objective  is  sought  to 
be  achieved].” 

C6.3.9.2.2.  To  the  extent  practicable,  general  statements,  such  as  “to  other  Federal 
agencies  as  required,”  or  “to  any  other  appropriate  Federal  agency”  shall  be  avoided. 

C6.3.9.3.  Blanket  routine  uses  (Appendix  3)  have  been  adopted  that  apply  to  all 
Component  system  notices.  The  blanket  routine  uses  appear  at  the  beginning  of  each  Component’s 
compilation  of  its  system  notices. 

C6.3.9.3. 1 .  Each  system  notice  shall  contain  a  statement  whether  or  not  the  blanket 
routine  uses  apply  to  the  system. 

C6.3.9.3.2.  Each  notice  may  state  that  none  of  the  blanket  routine  uses  apply  or  that  one 
or  more  do  not  apply. 

C6.3.10.  Policies  and  Practices  For  Storing,  Retiring,  Accessing,  Retaining,  and  Disposing  of 
Records.  This  caption  is  subdivided  into  four  parts: 

C6.3. 10. 1 .  Storage.  Indicate  the  medium  in  which  the  records  are  maintained.  For 
example,  a  system  may  be  “automated,  maintained  on  compact  disks,  diskettes,”  “manual, 
maintained  in  paper  files,”  or  “hybrid,  maintained  in  a  combination  of  paper  and  automated  form.” 
Storage  does  not  refer  to  the  container  or  facility  in  which  the  records  are  kept. 

C6.3. 10.2.  Retrievability.  Specify  how  the  records  are  retrieved  (for  example,  name,  SSN, 
or  some  other  unique  personal  identifier  assigned  the  individual). 

C6.3. 10.3.  Safeguards.  Identify  the  system  safeguards,  such  as  storage  in  safes,  vaults, 
locked  cabinets  or  rooms,  use  of  guards,  visitor  registers,  personnel  screening,  or  password 
protected  IT  systems,  encrypted  IT  systems.  Also  identify  personnel  who  have  access  to  the 
systems.  Do  not  describe  safeguards  in  such  detail  as  to  compromise  system  security. 

C6.3.10.4.  Retention  and  Disposal.  Indicate  how  long  the  record  is  retained.  When 
appropriate,  also  state  the  length  of  time  the  records  are  maintained  by  the  Component,  when  they 
are  transferred  to  a  Federal  Records  Center,  time  of  retention  at  the  Records  Center  and  when  they 
are  transferred  to  the  National  Archivist  or  are  destroyed.  A  Reference  to  a  Component  regulation 
without  further  detailed  infonnation  is  insufficient.  If  records  are  eventually  destroyed  instead 
ofretired,  identify  the  method  of  destruction  (e.g.,  shredding,  burning,  pulping). 

C6.3.11.  System  Manager(s)  and  Address 

C6.3. 1 1.1.  List  the  title  and  address  of  the  official  responsible  for  the  management  of  the 

system. 
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C6.3. 1 1 .2.  If  the  title  of  the  specific  official  is  unknown,  such  as  for  a  local  system,  specify 
the  local  commander  or  office  head  as  the  systems  manager. 

C6.3. 1 1 .3.  For  geographically  separated  or  organizationally-decentralized  activities  for 
which  individuals  may  deal  directly  with  officials  at  each  location  in  exercising  their  rights,  list  the 
position  or  duty  title  of  each  category  of  officials  responsible  for  the  system  or  a  segment  thereof. 

C6.3. 1 1 .4.  Do  not  include  business  or  duty  addresses  if  they  are  listed  in  the  Component 
address  directory. 

C6.3.12.  Notification  Procedures 

C6.3. 12. 1 .  Describe  how  an  individual  may  detennine  if  there  are  records  pertaining  to 
him  or  her  in  the  system.  The  procedural  rules  may  be  cited,  but  include  a  brief  procedural 
description  of  the  needed  data.  Provide  sufficient  information  in  the  notice  to  allow  an  individual 
to  exercise  his  or  her  rights  without  referral  to  the  formal  rules. 

C6.3. 12.2.  As  a  minimum,  the  caption  shall  include: 

C6.3. 12.2. 1 .  The  official  title  (normally  the  system  manager)  and  official  address  to 
which  the  request  is  to  be  directed; 

C6. 3. 12.2.2.  The  specific  information  required  to  detennine  if  there  is  a  record  of  the 
individual  in  the  system; 

C6. 3. 12.2.3.  Identification  of  the  offices  through  which  the  individual  may  obtain 
notification;  and 

C6. 3. 12.2.4.  A  description  of  any  proof  of  identity  required.  See  paragraph  C3.1.3.  of 

Chapter  3. 

C6.3. 12.3.  When  appropriate,  the  individual  may  be  referred  to  a  Component  official,  who 
shall  provide  this  information  to  him  or  her. 

C6.3.13.  Record  Access  Procedures 

C6.3. 13. 1 .  Describe  how  an  individual  can  gain  access  to  the  records  pertaining  to  him  or 
her  in  the  system.  The  procedural  rules  may  be  cited,  but  include  a  brief  procedural  description  of 
the  needed  data.  Provide  sufficient  information  in  the  notice  to  allow  an  individual  to  exercise  his 
or  her  rights  without  referral  to  the  formal  rules. 

C6.3. 13.2.  As  a  minimum,  the  caption  shall  include: 

C6.3. 13.2. 1 .  The  official  title  (normally  the  system  manager)  and  official  address  to 
which  the  request  is  to  be  directed; 
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C6. 3. 13.2.2.  A  description  of  any  proof  of  identity  required.  (See  paragraph  C3.1.3.  of 
Chapter  3);  and 

C6.3. 13.3.  When  appropriate,  the  individual  may  be  referred  to  a  Component  official,  who 
shall  provide  the  records  to  him  or  her. 

C6.3.14.  Contesting  Record  Procedures 

C6.3. 14. 1 .  Describe  how  an  individual  may  contest  the  content  of  a  record  pertaining  to 
him  or  her  in  the  system. 

C6.3. 14.2.  The  detailed  procedures  for  contesting  a  record  need  not  be  identified  if  the 
Component  procedural  rules  are  readily  available  to  the  public.  (For  example,  “The  Office  of  the 
Secretary  of  Defense”  rules  for  contesting  contents  are  contained  in  32  CFR  311.)  All  Component 
procedural  rules  are  set  forth  at  a  Departmental  public  Web  site  (see 
http://www.defenselink.mil/privacy/cfr-rules.html). 

C6.3. 14.3.  The  individual  may  also  be  referred  to  the  system  manager  to  determine  these 
procedures. 

C6.3.15.  Record  Source  Categories 

C6.3. 15. 1 .  Describe  where  (the  individual,  other  Component  documentation,  other  Federal 
agencies,  etc.)  the  information  contained  in  the  system  was  obtained. 

C6.3. 15.2.  Specific  individuals  or  institutions  need  not  be  identified  by  name,  particularly  if 
these  sources  have  been  granted  confidentiality.  See  paragraph  C5.4.2.  of  Chapter  5. 

C6.3.16.  Exemptions  Claimed  for  the  System 

C6.3. 16. 1 .  If  no  exemption  has  been  claimed  for  the  system,  indicate  “None.” 

C6.3. 16.2.  If  an  exemption  is  claimed,  cite  the  exemption  as  well  as  identifying  the  CFR 
section  containing  the  exemption  rule  for  the  system. 

C6.3.17.  Maintaining  the  Master  DoD  System  Notice  Registry 

C6.3. 17. 1 .  The  Defense  Privacy  Office  maintains  a  master  registry  of  all  DoD  record 
systems  notices. 

C6.3. 17.2.  The  Defense  Privacy  Office  also  posts  all  DoD  system  notices  to  a  public  Web 
site  (see  http://www.defenselink.mil/privacv/notices). 


C6.4.  NEW  AND  ALTERED  RECORD  SYSTEMS 
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C6.4.1.  Criteria  for  a  New  Record  System 

C6.4. 1.1.  If  a  Component  is  maintaining  a  system  of  records  as  contemplated  by  paragraph 
C 1 . 1 . 1 .,  and  a  system  notice  has  not  been  published  for  it  in  the  Federal  Register,  the  Component 
shall  establish  a  system  notice  consistent  with  the  requirements  of  this  Chapter. 

C6.4. 1 .2.  If  a  notice  for  a  system  of  records  has  been  canceled  or  deleted,  but  a 
detennination  is  subsequently  made  that  the  system  will  be  reinstated  or  reused,  the  system  may  not 
be  operated  (information  collected  or  used)  until  a  new  notice  is  published  in  the  Federal  Register. 

C6.4.2.  Criteria  for  an  Altered  Record  System.  A  system  is  considered  altered  whenever  one 
of  the  following  actions  occurs  or  is  proposed: 

C6.4.2. 1 .  A  significant  increase  or  change  in  the  number  or  type  of  individuals  about  whom 
records  are  maintained. 

C6.4.2. 1 . 1 .  Only  changes  that  alter  significantly  the  character  and  purpose  of  the  record 
system  are  considered  alterations. 

C6.4.2.1.2.  Increases  in  numbers  of  individuals  due  to  nonnal  growth  are  not 
considered  alterations  unless  they  truly  alter  the  character  and  purpose  of  the  system. 

C6.4.2.1.3.  Increases  that  change  significantly  the  scope  of  population  covered  (for 
example,  expansion  of  a  system  of  records  covering  a  single  command’s  enlisted  personnel  to 
include  all  of  the  Component’s  enlisted  personnel  would  be  considered  an  alteration). 

C6.4.2. 1 .4.  A  reduction  in  the  number  of  individuals  covered  is  not  an  alteration,  but 
only  an  amendment.  See  paragraph  C6.5. 1 .  of  this  Chapter. 

C6.4.2.1.5.  All  changes  that  add  new  categories  of  individuals  to  system  coverage 
require  a  change  to  the  “Categories  of  individuals  covered  by  the  system”  caption  of  the  notice  (see 
paragraph  C6.3.5.  of  this  Chapter)  and  may  require  changes  to  the  “Purpose(s)”  caption  (see 
paragraph  C6.3.8.  of  this  Chapter). 

C6.4.2.2.  An  expansion  in  the  types  or  categories  of  information  maintained. 

C6.4.2.2. 1 .  The  addition  of  any  new  category  of  records  not  described  under  the 
“Categories  of  Records  in  the  System”  caption  is  considered  an  alteration. 

C6.4.2.2.2.  Adding  a  new  data  element  that  is  clearly  within  the  scope  of  the  categories 
of  records  described  in  the  existing  notice  is  an  amendment.  (See  paragraph  C6.5. 1 .  of  this 
Chapter.)  An  amended  notice  may  not  be  required  if  the  data  element  is  clearly  covered  by  the 
record  category  identified  in  the  existing  system  notice. 

C6.4.2.2.3.  All  changes  under  this  criterion  require  a  change  to  the  “Categories  of 
Records  in  the  System”  caption  of  the  notice.  (See  paragraph  C6.3.6.  of  this  Chapter.) 
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C6.4.2.3.  An  alteration  of  how  the  records  are  organized  or  the  manner  in  which  the  records 
are  indexed  and  retrieved. 

C6.4.2.3. 1 .  The  change  must  alter  the  nature  of  use  or  scope  of  the  records  involved 
(for  example,  combining  records  systems  in  a  reorganization). 

C6.4.2.3.2.  Any  change  under  this  criterion  requires  a  change  in  the  “Retrievability” 
caption  of  the  system  notice.  (See  paragraph  C6.3. 10.2.  of  this  Chapter.) 

C6.4.2.3.3.  If  the  records  are  no  longer  retrieved  by  name  or  personal  identifier  cancel 
the  system  notice.  (See  paragraph  C 1 . 1 .2.  of  Chapter  1 .) 

C6.4.2.4.  A  change  in  the  purpose  for  which  the  information  in  the  system  is  used. 

C6.4.2.4. 1 .  The  new  purpose  must  not  be  compatible  with  the  existing  purposes  for 
which  the  system  is  maintained. 

C6.4.2.4.2.  If  the  use  is  compatible  and  reasonably  expected,  there  is  no  change  in 
purpose  and  no  alteration  occurs. 

C6.4.2.4.3.  Any  change  under  this  criterion  requires  a  change  in  the  “Purpose(s)” 
caption  (see  paragraph  C6.3.8.  of  this  Chapter)  and  may  require  a  change  in  the  “Authority  for 
maintenance  of  the  system”  caption  (see  paragraph  C6.3.7.  of  this  Chapter). 

C6.4.2.5.  Changes  that  alter  the  computer  environment  (such  as  changes  to  equipment 
configuration,  software,  or  procedures)  so  as  to  create  the  potential  for  greater  or  easier  access. 

C6.4.2.5. 1 .  Increasing  the  number  of  offices  with  direct  access  is  an  alteration. 

C6.4.2.5.2.  Software  applications,  such  as  operating  systems  and  system  utilities,  which 
provide  for  easier  access  are  considered  alterations. 

C6.4.2.5.3.  The  addition  of  an  on-line  capability  to  a  previously  batch-oriented  system 
is  an  alteration. 

C6.4.2.5.4.  The  addition  of  peripheral  devices  such  as  tape  devices,  disk  devices,  card 
readers,  printers,  and  similar  devices  to  an  existing  IT  system  constitute  an  amendment  if  system 
security  is  preserved.  (See  paragraph  C6.5. 1 .  of  this  Chapter.) 

C6.4.2.5.5.  Changes  to  existing  equipment  configuration  with  on-line  capability  need 
not  be  considered  alterations  to  the  system  if: 

C6.4.2.5.5.1.  The  change  does  not  alter  the  present  security  posture;  or 
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C6.4.2.5.5.2.  The  addition  of  terminals  does  not  extend  the  capacity  of  the  current 
operating  system  and  existing  security  is  preserved. 

C6.4.2.5.6.  The  connecting  of  two  or  more  formerly  independent  automated  systems  or 
networks  together  creating  a  potential  for  greater  access  is  an  alteration. 

C6.4.2.5.7.  Any  change  under  this  caption  requires  a  change  to  the  “Storage”  caption 
element  of  the  systems  notice.  (See  paragraph  C6.3. 10. 1 .  of  this  Chapter.) 

C6.4.3.  Reports  of  New  and  Altered  Systems 

C6.4.3.1.  Components  shall  submit  a  report  for  all  new  or  altered  systems  to  the  Defense 
Privacy  Office  consistent  with  the  requirements  of  this  chapter  and  in  the  format  prescribed  at 
Appendix  6. 

C6.4.3. 1 . 1 .  Components  shall  include  the  following  when  submitting  an  alteration  for  a 
system  notice  for  publication  in  the  Federal  Register: 

C6.4.3.1.1.1.  The  system  identifier  and  name.  (See  paragraphs  C6.3.2.  and  C6.3.3. 
of  this  Chapter.) 

C6.4.3. 1 .1.2.  A  description  of  the  nature  and  specific  changes  proposed. 

C6.4.3.1.2.  The  full  text  of  the  system  notice  need  not  be  submitted  if  the  master 
registry  contains  a  current  system  notice  for  the  system.  (See  paragraph  C6.3.17.  of  this  Chapter.) 

C6.4.3.2.  The  Defense  Privacy  Office  coordinates  all  Congressional  and  OMB  reports  of 
new  and  altered  systems  with  the  Office  of  the  Assistant  Secretary  of  Defense  (Legislative  Affairs), 
Department  of  Defense. 

C6.4.3.3.  The  Defense  Privacy  Office  prepares  and  sends  a  transmittal  letter  that  forwards 
the  report,  as  well  as  the  new  or  altered  system  notice,  to  OMB  and  Congress. 

C6.4.3.4.  The  Defense  Privacy  Office  shall  publish  in  the  Federal  Register  a  system  notice 
for  new  or  altered  systems. 

C6.4.4.  Time  Restrictions  on  the  Operation  of  a  New  or  Altered  System 

C6.4.4. 1 .  The  reports,  and  the  new  or  altered  system  notice,  must  be  provided  OMB  and 
Congress  at  least  40  days  prior  to  the  operation  of  the  new  or  altered  system.  The  40-day  review 
period  begins  to  run  on  the  date  that  the  transmittal  letters  are  signed  and  dated. 

C6.4.4.2.  The  system  notice  must  be  published  in  the  Federal  Register  before  a  Component 
begins  to  operate  the  system  (i.e.,  collect  and  use  the  information).  If  the  new  system  has  routine 
uses  or  the  altered  system  adds  a  new  routine  use,  no  records  may  be  disclosed  pursuant  to  the 
routine  use  until  the  public  has  had  30  days  to  comment  on  the  proposed  use. 
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C6.4.4.3.  The  time  periods  run  concurrently. 

C6.4.5.  Exemptions  for  New  Systems.  See  paragraph  C6.1.5.  of  this  Chapter  for  the 
procedures  to  follow  in  submitting  exemption  rules  for  a  new  system  of  records  or  for  submitting 
an  exemption  rule  for  an  existing  system  of  records. 


C6.5.  AMENDMENT  AND  DELETION  OF  SYSTEMS  NOTICES 

C6.5.1.  Criteria  for  an  Amended  System  Notice 

C6.5. 1 . 1 .  Certain  minor  changes  to  published  systems  notices  are  considered  amendments 
and  not  alterations.  See  paragraph  C6.4.2.  of  this  Chapter. 

C6.5. 1 .2.  Amendments  do  not  require  a  report  of  an  altered  system  (see  paragraph  C6.4.3. 
of  this  Chapter),  but  must  be  published  in  the  Federal  Register. 

C6.5.2.  System  Notices  for  Amended  Systems.  Components  shall  include  the  following  when 
submitting  an  amendment  for  a  system  notice  for  publication  in  the  Federal  Register: 

C6.5.2.1.  The  system  identifier  and  name.  (See  paragraphs  C6.3.2.  and  C6.3.3.  of  this 
Chapter.) 

C6.5.2.2.  A  description  of  the  nature  and  specific  changes  proposed. 

C6.5.2.3.  The  full  text  of  the  system  notice  need  not  be  submitted  if  the  master  registry 
contains  a  current  system  notice  for  the  system.  (See  paragraph  C6.3.17.  of  this  Chapter.) 

C6.5.3.  Deletion  of  System  Notices 

C6.5.3.1.  Whenever  a  system  is  discontinued,  combined  into  another  system,  or  detennined 
no  longer  to  be  subject  to  this  Regulation,  a  deletion  notice  is  required. 

C6.5.3.2.  The  notice  of  deletion  shall  include: 

C6.5.3.2. 1 .  The  system  identification  and  name. 

C6.5.3.2.2.  The  reason  for  the  deletion. 

C6.5.3.3.  When  the  system  is  eliminated  through  combination  or  merger,  identify  the 
successor  system  or  systems  in  the  deletion  notice. 

C6.5.4.  Submission  of  Amendments  and  Deletions  for  Publication 
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C6.5.4.1.  Submit  amendments  and  deletions  to  the  Defense  Privacy  Office  for  transmittal 
to  the  Federal  Register  for  publication. 


C6.5.4.2.  Multiple  deletions  and  amendments  may  be  combined  into  a  single  submission. 
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Cl.  CHAPTER  7 
TRAINING  REQUIREMENTS 
C7.1.  STATUTORY  TRAINING  REQUIREMENTS 

The  Privacy  Act  (Reference  (b))  requires  each  Agency  to  establish  rules  of  conduct  for  all  persons 
involved  in  the  design,  development,  operation,  and  maintenance  of  any  system  of  record  and  to 
train  these  persons  with  respect  to  these  rules. 


C7.2.  OMB  TRAINING  GUIDELINES 

The  OMB  guidelines  (Reference  (y))  require  all  Agencies  additionally  to: 

C7.2. 1 .  Instruct  their  personnel  in  their  rules  of  conduct  and  other  rules  and  procedures  adopted 
in  implementing  the  Act,  to  ensure  that  they  are  reminded  of  their  specific  responsibilities  for 
safeguarding  personally  identifiable  information,  the  rules  for  acquiring  and  using  such 
information,  and  the  penalties  for  non-compliance. 

C7.2.2.  Incorporate  training  on  the  special  requirements  of  the  Act  into  both  formal  and 
infonnal  (on-the-job)  training  programs. 


C7.3.  DoD  TRAINING  PROGRAMS 

C7.3.1.  The  training  shall  include  information  regarding  information  privacy  laws,  regulations, 
policies  and  procedures  governing  the  Department’s  collection,  maintenance,  use,  or  dissemination 
of  personal  information.  The  objective  is  to  establish  a  culture  of  sensitivity  to,  and  knowledge 
about,  privacy  issues  involving  individuals  throughout  the  Department. 

C7.3.2.  To  meet  these  training  requirements,  Components  may  establish  three  general  levels  of 
training  for  those  persons,  to  include  contractor  personnel,  who  are  involved  in  any  way  with  the 
design,  development,  operation,  or  maintenance  of  privacy  protected  systems  of  records.  These 
are: 


C7.3.2. 1 .  Orientation.  Training  that  provides  basic  understanding  of  this  Regulation  as  it 
applies  to  the  individual’s  job  performance.  This  training  shall  be  provided  to  personnel,  as 
appropriate,  and  should  be  a  prerequisite  to  all  other  levels  of  training. 

C7.3.2.2.  Specialized  Training.  Training  that  provides  information  as  to  the  application  of 
specific  provisions  of  this  Regulation  to  specialized  areas  of  job  performance.  Personnel  of 
particular  concern  include,  but  are  not  limited  to  medical  personnel,  intelligence  specialists,  finance 
officers,  DoD  personnel  who  may  expected  to  deal  with  the  news  media  or  the  public,  special 
investigators,  paperwork  managers,  and  other  specialists  (reports,  forms,  records,  and  related 
functions),  computer  systems  development  personnel,  computer  systems  operations  personnel, 
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statisticians  dealing  with  personal  data  and  program  evaluations,  contractors  that  will  either  operate 
systems  of  records  on  behalf  of  the  Component  or  will  have  access  to  such  systems  incident  to 
performing  the  contract,  and  anyone  responsible  for  implementing  or  carrying  out  functions  under 
this  Regulation. 

C7.3.2.3.  Management.  Training  designed  to  identify  for  responsible  managers  (such  as, 
senior  system  managers,  denial  authorities,  and  decision  makers)  considerations  that  they  should 
take  into  account  when  making  management  decisions  regarding  operational  programs  and 
activities  having  privacy  implications. 

C7.3.3.  Include  Privacy  Act  training  in  other  courses  of  training  when  appropriate.  Stress 
individual  responsibilities  and  advise  individuals  of  their  rights  and  responsibilities  under  this 
Regulation  to  ensure  that  it  is  understood  that,  where  personally  identifiable  information  is 
involved,  individuals  should  handle  and  treat  the  information  as  if  it  was  their  information. 


C7.4.  TRAINING  METHODOLOGY  AND  PROCEDURES 

C7.4. 1 .  Each  DoD  Component  is  responsible  for  the  development  of  training  procedures  and 
methodology. 

C7.4.2.  The  Defense  Privacy  Office  shall  assist  the  Components  in  developing  these  training 
programs  and  may  develop  privacy  training  programs  for  use  by  all  DoD  Components. 

C7.4.3.  Components  shall  conduct  training  as  frequently  as  believed  necessary  so  that 
personnel  who  are  responsible  for  or  are  in  receipt  of  infonnation  protected  by  Reference  (b)  are 
sensitive  to  the  requirements  of  this  regulation,  especially  the  access,  use,  and  dissemination 
restrictions.  Components  shall  give  consideration  to  whether  annual  training  and/or  annual 
certification  should  be  mandated  for  all  or  specified  personnel  whose  duties  and  responsibilities 
require  daily  interaction  with  personally  identifiable  information. 

C7.4.4.  Components  shall  conduct  training  that  reaches  the  widest  possible  audience.  Web- 
based  training  and  video  conferencing  have  been  effective  means  to  provide  such  training. 


C7.5.  FUNDING  FOR  TRAINING 

Each  DoD  Component  shall  fund  its  own  privacy  training  program. 
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C8.  CHAPTER  8 
REPORTS 


C8.E  REQUIREMENT  FOR  REPORTS 

The  Defense  Privacy  Office  shall  establish  requirements  for  DoD  Privacy  Reports  and  the  DoD 
Components  shall  be  required  to  provide  data. 


C8.2.  SUSPENSE  FOR  SUBMISSION  OF  REPORTS 

The  suspenses  for  submission  of  all  reports  shall  be  established  by  the  Defense  Privacy  Office. 


C8.3.  REPORTS  CONTROL  SYMBOL 

Any  report  established  by  this  Chapter  in  support  of  the  Privacy  Program  shall  be  assigned  Report 
Control  Symbol  DD-COMP(A)  1379. 
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C9.  CHAPTER  9 
INSPECTIONS 


C9.1.  PRIVACY  ACT  INSPECTIONS 

During  internal  inspections,  Component  inspectors  shall  be  alert  for  compliance  with  this 
Regulation  and  for  managerial,  administrative,  and  operational  problems  associated  with  the 
implementation  of  the  Defense  Privacy  Program.  Programs  shall  be  reviewed  as  frequently  as 
considered  necessary  by  Components,  or  the  Component  Inspector  General. 


C9.2.  INSPECTION  REPORTING 

C9.2. 1 .  Document  the  findings  of  the  inspectors  in  official  reports  that  are  furnished  to  the 
responsible  Component  officials.  These  reports,  when  appropriate,  shall  reflect  overall  assets  of  the 
Component  Privacy  Program  inspected,  or  portion  thereof,  identify  deficiencies,  irregularities,  and 
significant  problems.  Also  document  remedial  actions  taken  to  correct  problems  identified. 

C9.2.2.  Retain  inspections  reports  and  later  follow-up  reports  in  accordance  with  established 
records  disposition  standards.  These  reports  shall  be  made  available  to  the  Privacy  Program 
officials  concerned  upon  request. 
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CIO.  CHAPTER  10 
PRIVACY  ACT  VIOLATIONS 
C10.1.  ADMINISTRATIVE  REMEDIES 

Any  individual  who  believes  he  or  she  has  a  legitimate  complaint  or  grievance  against  the 
Department  of  Defense  or  any  DoD  employee  concerning  any  right  granted  by  this  Regulation  shall 
be  permitted  to  seek  relief  through  appropriate  administrative  channels. 


C10.2.  CIVIL  ACTIONS 

An  individual  may  file  a  civil  suit  against  a  DoD  Component,  if  the  individual  believes  his  or  her 
rights  under  the  Act  have  been  violated  (See  Section  552a(g)  of  Reference  (b)). 


CIO. 3.  CIVIL  REMEDIES 

In  addition  to  specific  remedial  actions,  Reference  (b)  provides  for  the  payment  of  damages,  court 
costs,  and  attorney  fees  in  some  cases. 


C10.4.  CRIMINAL  PENALTIES 

C10.4.1.  The  Act  also  provides  for  criminal  penalties  (see  section  552a(i)  of  Reference  (b)). 
Any  official  or  employee  may  be  found  guilty  of  a  misdemeanor  and  fined  not  more  than  $5,000  if 
he  or  she  willfully: 

C  10.4. 1.1.  Discloses  information  from  a  system  of  records,  knowing  that  dissemination  is 
prohibited,  to  anyone  not  entitled  to  receive  the  information  (see  Chapter  4);  or 

C  10.4. 1 .2.  Maintains  a  system  of  records  without  publishing  the  required  public  notice  in 
the  Federal  Register.  (See  Chapter  6.) 

C  10.4.2.  Any  person  who  knowingly  and  willfully  requests  or  obtains  access  to  any  record 
concerning  another  individual  under  false  pretenses  may  be  found  guilty  of  misdemeanor  and  fined 
up  to  $5,000. 


CIO. 5.  LITIGATION  STATUS  SHEET 

Whenever  a  complaint  citing  the  Privacy  Act  is  filed  in  a  U.S.  District  Court  against  the 
Department  of  Defense,  a  DoD  Component,  or  any  DoD  employee,  the  responsible  system  manager 
shall  notify  the  Defense  Privacy  Office.  The  litigation  status  sheet  at  Appendix  8  provides  a 
standard  format  for  this  notification.  The  initial  litigation  status  sheet  forwarded  shall,  as  a 
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minimum,  provide  the  information  required  by  items  1  through  6.  A  revised  litigation  status  sheet 
shall  be  provided  at  each  stage  of  the  litigation.  When  a  court  renders  a  formal  opinion  or 
judgment,  copies  of  the  judgment  and  opinion  shall  be  provided  to  the  Defense  Privacy  Office  with 
the  litigation  status  sheet  reporting  that  judgment  or  opinion. 


CIO. 6.  LOST,  STOLEN,  OR  COMPROMISED  INFORMATION 

C  10.6. 1 .  When  a  loss,  theft,  or  compromise  of  information  occurs  (See  Chapter  1  of  this 
regulation),  the  breach  shall  be  reported  to: 

C  10.6. 1.1.  The  United  States  Computer  Emergency  Readiness  Team  (US  CERT)  within 
one  hour  of  discovering  that  a  breach  of  personally  identifiable  information  has  occurred. 
Components  shall  establish  procedures  to  ensure  that  US  CERT  reporting  is  accomplished  in 
accordance  with  the  guidance  set  forth  at  www.us-cert.gov.  The  underlying  incident  that  led  to  the 
loss  or  suspected  loss  of  PII  (e.g.,  computer  incident,  theft,  loss  of  material,  etc.)  shall  continue  to 
be  reported  in  accordance  with  established  procedures  (e.g.,  to  designated  computer  Network 
Defense  (CND)  Service  Providers,  Chairman  of  the  Joint  Chiefs  of  Staff  Manual  6510.01 
(Reference  (z)),  law  enforcement  authorities,  the  chain  of  command,  etc). 

C  10.6. 1 .2.  The  Senior  Component  Official  for  Privacy  (Reference  (a))  within  24  hours  of 
discovering  that  a  breach  of  personally  identifiable  information  has  occurred.  The  Senior 
Component  Official  for  Privacy,  or  their  designee,  shall  notify  the  Defense  Privacy  Office  of  the 
breach  within  48  hours  upon  being  notified  that  a  loss,  theft,  or  compromise  has  occurred.  The 
notification  shall  include  the  following  information: 

C  10.6. 1.2.1.  Identify  the  Component/organization  involved. 

C  10.6. 1 .2.2.  Specify  the  date  of  the  breach  and  the  number  of  individuals  impacted,  to 
include  whether  they  are  DoD  civilian,  military,  or  contractor  personnel;  DoD  civilian  or  military 
retirees;  family  members;  other  Federal  personnel  or  members  of  the  public,  etc. 

CIO. 6. 1.2. 3.  Briefly  describe  the  facts  and  circumstances  surrounding  the  loss,  theft,  or 
compromise. 

CIO. 6. 1.2. 4.  Briefly  describe  actions  taken  in  response  to  the  breach,  to  include  whether 
the  incident  was  investigated  and  by  whom;  the  preliminary  results  of  the  inquiry  if  then  known; 
actions  taken  to  mitigate  any  harm  that  could  result  from  the  breach;  whether  the  affected 
individuals  are  being  notified,  and  if  this  will  not  be  accomplished  within  10  working  days,  that 
action  will  be  initiated  to  notify  the  Deputy  secretary  (See  paragraph  Cl.5.1.4.)  ;  what  remedial 
actions  have  been,  or  will  be,  taken  to  prevent  a  similar  such  incident  in  the  future,  e.g.,  refresher 
training  conducted,  new  or  revised  guidance  issued;  and  any  other  information  considered  pertinent 
as  to  actions  to  be  taken  to  ensure  that  information  is  properly  safeguarded. 
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Cl 0.6.2.  The  Component  shall  determine  whether  administrative  or  disciplinary  action  is 
warranted  and  appropriate  for  those  individuals  detennined  to  be  responsible  for  the  loss,  theft,  or 
compromise. 
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Cl  1.  CHAPTER  1 1 

COMPUTER  MATCHING  PROGRAM  PROCEDURES 


Cll.l.  GENERAL 

Cl  1 . 1 . 1 .  Computer  matches  cover  two  kinds  of  matching  programs,  54  Federal  Register  25818, 
(Reference  (aa)).  If  covered,  the  matches  are  subject  to  the  requirements  of  this  chapter.  The 
covered  programs  are: 

C 1 1 . 1 . 1 . 1 .  Matches  using  records  from  Federal  personnel  or  payroll  systems  of  records,  or 

C 1 1 . 1 . 1 .2  Matches  involving  Federal  benefits  program  if: 

Cll.l. 1.2.1.  To  detennine  eligibility  for  a  Federal  benefit, 

Cll.l. 1.2. 2.  To  determine  compliance  with  benefit  program  requirements,  or 

C 1 1 . 1 . 1 .2.3.  To  effect  recovery  of  improper  payments  or  delinquent  debts  under  a 
Federal  benefit  program.  . 

C 1 1 . 1 .2.  The  requirements  of  this  Regulation  do  not  apply  if  matches  are: 

C 1 1 . 1 .2. 1  Perfonned  solely  to  produce  aggregated  statistical  data  without  any  personal 
identifiers.  Personally  identifying  data  can  be  used  for  purposes  of  conducting  the  match. 

However,  the  results  of  the  match  shall  be  stripped  of  any  data  that  would  identify  an  individual. 
Under  no  circumstances  shall  match  results  be  used  to  take  action  against  specific  individuals. 

Cll.l  .2.2.  Perfonned  to  support  research  or  statistical  projects.  Personally  identifying  data 
can  be  used  for  purposes  of  conducting  the  match  and  the  match  results  may  contain  identifying 
data  about  individuals.  However,  the  match  results  shall  not  be  used  to  make  a  decision  that 
affects  the  rights,  benefits,  or  privileges  of  specific  individuals. 

Cll.l  .2.3.  Performed  by  an  agency,  or  a  component  thereof,  whose  principal  function  is 
the  enforcement  of  criminal  laws,  subsequent  to  the  initiation  of  a  specific  criminal  or  civil  law 
enforcement  investigation  of  a  named  individual  or  individuals. 

C 1 1 . 1 .2.3. 1 .  The  match  must  flow  from  an  investigation  already  underway  which 
focuses  on  a  named  person  or  persons.  “Fishing  expeditions”  in  which  the  subjects  are  generically 
identified,  such  as  “program  beneficiaries”  are  not  covered. 

Cll.l  .2.3.2.  The  match  must  be  for  the  purpose  of  gathering  evidence  against  the 
named  individual  or  individuals. 

Cll.l  .2.4.  Performed  for  tax  information-related  purposes. 

Cll.l .2.5.  Performed  for  routine  administrative  purposes  using  records  relating  to  Federal 
personnel. 
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C 1 1 . 1 .2.5.1 .  The  records  to  be  used  in  the  match  must  predominantly  relate  to  Federal 
personnel  (i.e.,  the  percentage  of  records  in  the  system  of  records  that  are  about  Federal  personnel 
must  be  greater  than  of  any  other  category). 

C 1 1 . 1 .2.5.2.  The  purpose  of  the  match  must  not  be  for  purposes  of  taking  any  adverse 
financial,  personnel,  disciplinary,  or  other  unfavorable  action  against  an  individual. 

C 1 1 . 1 .2.6.  Performed  using  only  records  from  systems  of  records  maintained  by  an  agency. 

C 1 1 . 1 .2.6. 1 .  The  purpose  of  the  match  must  not  be  for  purposes  of  taking  any  adverse 
financial,  personnel,  disciplinary,  or  other  unfavorable  action  against  an  individual. 

C 1 1 . 1 .2.6.2.  A  match  of  DoD  personnel  using  records  in  a  system  of  records  for 
purposes  of  identifying  fraud,  waste,  and  abuse  is  not  covered. 

C 1 1 . 1 .2.7.  Performed  to  produce  background  checks  for  security  clearances  of  Federal  or 
contractor  personnel  or  performed  for  foreign  counter-intelligence  purposes. 


Cl  1.2.  COMPUTER  MATCHING  PUBLICATION  AND  REVIEW  REQUIREMENTS 

C 1 1 .2. 1 .  DoD  Components  shall  identify  the  systems  of  records  that  will  be  used  in  the  match 
to  ensure  that  the  publication  requirements  of  Chapter  6  of  this  Regulation  have  been  satisfied.  If 
the  match  will  require  disclosure  of  records  outside  the  Department  of  Defense,  Components  shall 
ensure  that  a  routine  use  has  been  established,  and  that  the  publication  and  review  requirements 
met,  before  any  disclosures  are  made  (See  Chapter  6  of  this  Regulation). 

C 1 1 .2.2.  If  a  computer  matching  program  is  contemplated,  the  DoD  Component  shall  contact 
the  Defense  Privacy  Office  and  provide  information  regarding  the  contemplated  match.  The  DoD 
Privacy  Office  (DPO)  shall  ensure  that  any  proposed  computer  matching  program  satisfies  the 
requirements  of  References  (b)  and  (aa). 

Cl  1.2.3.  A  computer  matching  agreement  (CMA)  shall  be  prepared  by  the  Component, 
consistent  with  the  requirements  of  paragraph  C 1 1 .3.  and  submitted  to  the  DPO.  If  the  CMA 
satisfies  the  requirements  of  References  (b)  and  (aa),  as  well  as  this  Regulation,  it  shall  be 
forwarded  to  the  Defense  Data  Integrity  Board  (DIB)  for  approval  or  disapproval. 

C 1 1 .2.3.1 .  If  the  CMA  is  approved  by  the  DIB,  the  DPO  shall  prepare  and  forward  a  report 
to  both  Houses  of  Congress  and  to  OMB  as  required  by,  and  consistent  with,  OMB  Circular  A- 130 
(Reference  (ab)).  Congress  and  OMB  shall  have  40  days  to  review  and  comment  on  the  proposed 
match.  Any  comments  received  must  be  resolved  before  matching  can  take  place. 

Cl  1.2. 3.2.  If  the  CMA  is  approved  by  the  DIB,  the  DPO  shall  prepare  and  forward  a  match 
notice  as  required  by  Reference  (ab)  for  publication  in  the  Federal  Register.  The  public  shall  be 
given  30  days  to  comment  on  the  proposed  match.  Any  comments  received  must  be  resolved 
before  matching  can  take  place. 
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Cl  1.3.  COMPUTER  MATCHING  AGREEMENTS  (CM A) 

C 1 1 .3. 1 .  If  a  match  is  to  be  conducted  internally  within  the  Department  of  Defense,  a 
memorandum  of  understanding  (MOU)  shall  be  prepared.  It  shall  contain  the  same  elements  as  a 
CMA,  except  as  otherwise  indicated  in  Cl  1.3. 2.4. 2. 

Cl  1.3.2.  A  CMA  shall  contain  the  following  elements: 

C 1 1 .3.2. 1 .  Purpose.  Why  the  match  is  being  proposed  and  what  will  be  achieved  by 
conducting  the  match. 

C 1 1 .3.2.2.  Legal  Authority.  What  is  the  Federal  or  state  statutory  or  regulatory  basis  for 
conducting  the  match.  The  Privacy  Act  does  not  constitute  independent  authority  for  matching. 
Other  legal  authority  shall  be  identified. 

Cl  1.3. 2. 3.  Justification  and  Expected  Results.  Explain  why  computer  matching  as  opposed 
to  some  other  administrative  means  is  being  proposed  and  what  the  expected  results  will  be, 
including  a  specific  estimate  of  any  savings  (see  paragraph  Cl  1.3.2.13  of  this  Chapter.) 

Cl  1.3. 2.4.  Records  Description.  Identify: 

C 1 1 .3.2.4. 1 .  The  system  of  records  or  non-Federal  records.  For  DoD  systems  of 
records,  provide  the  Federal  Register  citation  for  the  system  notice; 

Cl  1.3. 2.4. 2.  The  specific  routine  use  in  the  system  notice  if  records  are  to  be  disclosed 
outside  the  Department  of  Defense  (see  paragraph  4.2.3  of  Chapter  4).  If  records  are  disclosed 
within  the  Department  of  Defense  for  an  internal  match,  disclosures  are  pennitted  pursuant  to 
paragraph  4.2.1  of  Chapter  4. 

Cl  1.3. 2.4. 3  The  number  of  records  involved; 

Cl  1.3. 2.4. 4.  The  data  elements  to  be  included  in  the  match; 

C 1 1 .3. 2.4. 5.  The  projected  start  and  completion  dates  of  the  match.  CMAs  remain  in 
effect  for  18  months,  but  can  be  renewed  for  an  additional  12  months  provided: 

C 1 1 .3. 2.4. 5. 1 .  The  match  will  be  conducted  without  any  change,  and 

C 1 1 .3. 2.4. 5.2.  Each  party  to  the  match  certifies  in  writing  that  the  program  has  been 
conducted  in  compliance  with  the  CMA  or  MOU. 

C 1 1 .3. 2.4. 6.  How  frequently  will  the  records  be  matched. 

C 1 1 .3.2.5.  Records  Accuracy  Assessment.  Provide  an  assessment  by  the  source  and 
recipient  agencies  as  to  the  quality  of  the  information  that  will  be  used  for  the  match.  The  poorer 
the  quality,  the  more  likely  that  the  program  will  not  be  cost-effective. 

C 1 1 .3.2.6.  Notice  Procedures.  Identify  what  direct  and  indirect  means  will  be  used  to 
inform  individuals  that  matching  will  taken  place. 
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C 1 1 .3.2.6. 1 .  Direct  Notice.  Indicate  whether  the  individual  is  advised  that  matching 
may  be  conducted  when  he  or  she  applies  for  a  Federal  benefit  program.  Such  an  advisory  should 
normally  be  part  of  the  Privacy  Act  Statement  that  is  contained  in  the  application  for  benefits. 
Individual  notice  sometimes  is  provided  by  a  separate  notice  that  is  furnished  the  individual  upon 
receipt  of  the  benefit. 

C 1 1 .3. 2. 6. 2  Indirect  Notice.  Indicate  whether  the  individual  is  advised  that  matching 
may  be  conducted  by  constructive  notice.  Indirect  or  constructive  notice  is  achieved  by  publication 
of  a  routine  use  in  the  Federal  Register  when  the  matching  is  between  agencies  or  is  achieved  by 
publication  of  the  match  notice  in  the  Federal  Register. 

C 1 1 .3.2.7.  Verification  Procedures.  Explain  how  information  produced  as  a  result  of  the 
match  will  be  independently  verified  to  ensure  that  any  adverse  infonnation  obtained  is  that  of  the 
individual  identified  in  the  match. 

C 1 1 .3.2.8.  Due  Process  Procedures.  Describe  what  procedures  will  be  used  to  notify 
individuals  of  any  adverse  infonnation  uncovered  as  a  result  of  the  match  and  to  give  such 
individuals  an  opportunity  to  either  explain  the  information  or  how  they  may  contest  the 
infonnation.  No  adverse  action  shall  be  taken  against  the  individual  until  the  due  process 
procedures  have  been  satisfied. 

C 1 1 .3.2.8. 1 .  Unless  other  statutory  or  regulatory  authority  provides  for  a  longer  period 
of  time,  the  individual  shall  be  given  30  calendar  days  from  the  date  of  the  notice  to  respond  to  the 
notice. 


Cl  1.3. 2. 8. 2.  If  an  individual  contacts  the  agency  within  the  notice  period  and  indicates 
his  or  her  acceptance  of  the  validity  of  the  adverse  information,  the  agency  may  take  final  action.  If 
the  period  expires  without  a  response,  the  agency  may  take  final  action. 

Cl  1.3. 2. 8. 3.  If  the  agency  determines  that  there  is  a  potentially  significant  effect  on 
public  health  or  safety,  it  may  take  appropriate  action  notwithstanding  the  due  process  provisions. 

Cl  1.3. 2. 9.  Security  Procedures.  Describe  the  administrative,  technical,  and  physical 
safeguards  that  will  be  established  to  preserve  and  protect  the  privacy  and  confidentiality  of  the 
records  involved  in  the  match.  The  level  of  security  must  be  commensurate  with  the  level  of  the 
sensitivity  of  the  records. 

Cl  1.3.2.10.  Records  Usage,  Duplication,  and  Redisclosure  Restrictions.  Describe  any 
restrictions  imposed  by  the  source  agency  or  by  statute  or  regulation  on  the  collateral  uses  of  the 
records.  Recipient  agencies  may  not  use  the  records  obtained  for  matching  purposes  for  any  other 
purpose  absent  a  specific  statutory  requirement  or  where  the  disclosure  is  essential  to  the  conduct 
of  the  matching  program. 

C 1 1 .3.2. 1 1 .  Disposition  Procedures.  Clearly  state  that  the  records  used  in  the  match  will  be 
retained  only  for  the  time  required  for  conducting  the  match.  Once  the  matching  purpose  has  been 
achieved,  the  records  will  be  destroyed  unless  the  records  must  be  retained  as  directed  by  other 
legal  authority.  Unless  the  source  agency  requests  that  the  records  be  returned,  identify  the  means 
by  which  destruction  will  occur,  e.g.,  shredding,  burning,  electronic  erasure. 
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C 1 1 .3.2. 12.  Comptroller  General  Access.  Include  a  statement  that  the  Comptroller 
General  may  have  access  to  all  records  of  the  recipient  agency  to  monitor  or  verily  compliance  with 
the  terms  of  the  CMA. 

Cl  1.3.2.13.  Cost-Benefit  Analysis. 

Cl  1.3.2.13.1  A  cost-benefit  analysis  shall  be  conducted  for  the  proposed  computer 
matching  program  unless: 

Cl  1.3.2.13. 1.1.  The  Data  Integrity  Board  waives  the  requirement  in  writing,  or 
C 1 1 .3.2. 13. 1 .2.  The  matching  program  is  required  by  a  specific  statute. 

C 1 1 .3.2. 13.2.  The  analysis  must  demonstrate  that  the  program  is  likely  to  be  cost- 
effective.  This  analysis  is  to  ensure  that  agencies  are  following  sound  management  practices.  The 
analysis  provides  an  opportunity  to  examine  the  programs  and  to  reject  those  that  will  only  produce 
marginal  results. 
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API.  APPENDIX  1 

SAFEGUARDING  PERSONALLY  IDENTIFIABLE  INFORMATION  (PII) 

AP  1.1.  GENERAL 

AP  1.1.1.  The  IT  environment  subjects  personal  information  to  special  hazards  as  to 
unauthorized  compromise,  alteration,  dissemination,  and  use.  Therefore,  special  considerations 
must  be  given  to  safeguarding  personal  information  in  IT  systems  consistent  with  the  requirements 
of  DoD  Directive  8500.1  (Reference  (ac))  and  (ae). 

AP  1.1.2.  Personally  identifiable  information  must  also  be  protected  while  it  is  being  processed 
or  accessed  in  computer  environments  outside  the  data  processing  installation  (such  as  remote  job 
entry  stations,  tenninal  stations,  minicomputers,  microprocessors,  and  similar  activities). 

API.  1.3.  IT  facilities  authorized  to  process  classified  material  have  adequate  procedures  and 
security  for  the  purposes  of  this  Regulation.  However,  all  unclassified  information  subject  to  this 
Regulation  must  be  processed  following  the  procedures  used  to  process  and  access  information 
designated  “FOUO.”  (See  Reference  (h).) 


API. 2.  RISK  MANAGEMENT  AND  SAFEGUARDING  STANDARDS 

API. 2.1.  Establish  administrative,  technical,  and  physical  safeguards  that  are  adequate  to 
protect  the  information  against  unauthorized  disclosure,  access,  or  misuse.  (See  OMB  Circular 
A- 130,  Reference  (ab)  and  DoD  Instruction  8500.2  (Reference  (ae).) 

API. 2.2.  Tailor  safeguards  to  the  type  of  system,  the  nature  of  the  information  involved,  and 
the  specific  threat  to  be  countered. 


API. 3.  MINIMUM  ADMINISTRATIVE  SAFEGUARDS 

The  minimum  safeguarding  standards  as  set  forth  in  paragraph  Cl. 4.2.  of  Chapter  1  apply  to  all 
personal  data  within  any  IT  system.  In  addition: 

AP  1.3.1.  Consider  the  following  when  establishing  IT  safeguards: 

API. 3. 1.1.  The  sensitivity  of  the  data  being  processed,  stored  and  accessed. 

API. 3. 1.2.  The  installation  environment. 

API. 3. 1.3.  The  risk  of  exposure. 

API. 3. 1.4.  The  cost  of  the  safeguard  under  consideration. 
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API. 3. 2.  Label  or  designate  media  products  containing  personal  information  that  do  not 
contain  classified  material  in  such  a  manner  as  to  alert  those  using  or  handling  the  information  of 
the  need  for  special  protection.  Designating  products  “For  Official  Use  Only”  in  accordance  with 
Reference  (h)  satisfies  this  requirement. 

API. 3. 3.  Mark  and  protect  all  computer  products  containing  classified  data  in  accordance  with 
References  (h)  and  (ac). 

API. 3. 4.  Mark  and  protect  all  computer  products  containing  “For  Official  Use  Only”  material 
in  accordance  with  Reference  (h). 

API. 3. 5.  Ensure  that  safeguards  for  protected  infonnation  stored  at  secondary  sites  are 
appropriate. 

API. 3. 6.  If  there  is  a  computer  failure,  restore  all  protected  information  being  processed  at  the 
time  of  the  failure  using  proper  recovery  procedures  to  ensure  data  integrity. 

API. 3. 7.  Train  personnel  involved  in  processing  information  subject  to  this  Regulation  in 
proper  safeguarding  procedures. 


API. 4.  PHYSICAL  SAFEGUARDS 

API. 4.1.  For  all  unclassified  facilities,  areas,  and  devices  that  process  information  subject  to 
this  Regulation,  establish  physical  safeguards  that  protect  the  information  against  reasonably 
identifiable  threats  that  could  result  in  unauthorized  access  or  alteration. 

API. 4.2.  Develop  access  procedures  for  unclassified  computer  rooms,  tape  libraries, 
micrographic  facilities,  decollating  shops,  product  distribution  areas,  or  other  direct  support  areas 
that  process  or  contain  personal  infonnation  subject  to  this  Regulation  that  control  adequately 
access  to  these  areas. 

API. 4. 3.  Safeguard  on-line  devices  directly  coupled  to  IT  systems  that  contain  or  process 
information  from  systems  of  records  to  prevent  unauthorized  disclosure,  use,  or  alteration. 

API. 4.4.  Dispose  of  paper  records  following  appropriate  record  destruction  procedures.  (See 
paragraph  Cl. 4. 3.  and  Reference  (h).) 


API. 5.  TECHNICAL  SAFEGUARDS 

API. 5.1.  Components  are  to  ensure  that  all  PII  not  explicitly  cleared  for  public  release  is 
protected  according  to  Confidentially  Level  Sensitive,  as  established  in  DoD  Instruction  8500.2 
(Reference  (ae)).  In  addition,  all  DoD  information  and  data  owners  shall  conduct  risk  assessments 
of  compilations  of  PII  and  identify  those  needing  more  stringent  protection  for  remote  access  or 
mobile  computing. 
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API. 5. 2.  Encrypt  unclassified  personal  information  in  accordance  with  current  Infonnation 
Assurance  (IA)  policies  and  procedures,  as  issued. 

API. 5. 3.  Remove  personal  data  stored  on  magnetic  storage  media  by  methods  that  preclude 
reconstruction  of  the  data. 

API. 5. 4.  Ensure  that  personal  infonnation  is  not  inadvertently  disclosed  as  residue  when 
transferring  magnetic  media  between  activities. 

API. 5. 5  Only  DoD  authorized  devices  shall  be  used  for  remote  access.  Any  remote  access, 
whether  for  user  or  privileged  functions,  must  conform  to  IA  controls  specified  in  Reference  (ae). 

API. 5. 6  Remote  access  for  processing  PII  should  comply  with  the  latest  IA  policies  and 
procedures. 

API. 5. 7.  Minimize  access  to  data  fields  necessary  to  accomplish  an  employee’s  task  - 
normally,  access  shall  be  granted  only  to  those  data  elements  (fields)  required  for  the  employee  to 
perform  his  or  her  job  rather  than  granting  access  to  the  entire  database. 

API. 5. 8.  Do  not  totally  rely  on  proprietary  software  products  to  protect  personnel  data  during 
processing  or  storage. 


API. 6.  SPECIAL  PROCEDURES 
API. 6.1.  Managers  shall: 

AP 1 .6. 1 . 1 .  Prepare  and  submit  for  publication  all  system  notices  and  amendments  and 
alterations  thereto.  (See  paragraph  C6.1.6.  of  Chapter  6.) 

API. 6. 1.2.  Identify  required  controls  and  individuals  authorized  access  to  PII  and  maintain 
updates  to  the  access  authorizations. 

API. 6. 1.3.  When  required,  ensure  Privacy  Impact  Assessments  are  prepared  consistent  with 
the  requirements  of  Section  3501  of  title  44,  U.S.C.  (Reference  (ad))  and  the  DoD  Deputy  Chief 
Infonnation  Officer  Memorandum  (Reference  (af)). 

API. 6. 1.4.  Train  all  personnel  whose  official  duties  require  access  to  the  system  of  records 
in  the  proper  safeguarding  and  use  of  the  infonnation  and  ensure  that  they  receive  Privacy  Act 
training. 


API. 7.  RECORD  DISPOSAL 
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API. 7.1.  Dispose  of  records  subject  to  this  Regulation  so  as  to  prevent  compromise.  (See 
paragraph  Cl. 4. 3.  of  Chapter  1.)  Magnetic  tapes  or  other  magnetic  medium  may  be  cleared  by 
degaussing,  overwriting,  or  erasing.  (See  the  DoD  Memorandum  (Reference  (ag).) 

API. 7.2.  Do  not  use  respliced  waste  computer  products  containing  personal  data. 
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API.  APPENDIX  2 
SAMPLE  NOTIFICATION  LETTER 


Dear  Mr.  John  Miller: 

On  January  1,  2006,  a  DoD  laptop  computer  was  stolen  from  the  parked  car  of  a  DoD  employee 
in  Washington,  D.C.  after  normal  duty  hours  while  the  employee  was  running  a  personal  errand. 
The  laptop  contained  personally  identifying  information  on  100  DoD  employees  who  were 
participating  in  the  xxx  Program.  The  compromised  information  is  the  name,  social  security 
number,  residential  address,  date  of  birth,  office  and  home  email  address,  office,  and  home 
telephone  numbers  of  the  Program  participants. 

The  theft  was  immediately  reported  to  local  and  DoD  law  enforcement  authorities,  who  are  now 
conducting  a  joint  inquiry  into  the  loss. 

We  believe  that  the  laptop  was  the  target  of  the  theft  as  opposed  to  any  information  that  the 
laptop  might  contain.  Because  the  information  in  the  laptop  was  password  protected  and  encrypted, 
we  also  believe  that  the  probability  is  low  that  the  information  will  be  acquired  and  used  for  an 
unlawful  purpose.  However,  we  cannot  say  with  certainty  that  this  might  not  occur.  We  therefore 
believe  that  you  should  consider  taking  such  actions  as  are  possible  to  protect  against  the  potential 
that  someone  might  use  the  information  to  steal  your  identity. 

You  should  be  guided  by  the  actions  recommended  by  the  Federal  Trade  Commission  (FTC)  at 
its  Web  site  at  http://www.consumer.gov/idtheft/con  steps.htm.  The  FTC  urges  that  you 
immediately  place  an  initial  fraud  alert  on  your  credit  file.  The  Fraud  alert  is  for  a  period  of  90 
days,  during  which,  creditors  are  required  to  contact  you  before  a  new  credit  card  is  issued  or  an 
existing  card  changed.  The  site  also  provides  other  valuable  information  that  can  be  taken  now  or 
in  the  future  if  problems  should  develop. 

The  Department  of  Defense  takes  this  loss  very  seriously  and  is  reviewing  its  current  policies 
and  practices  with  a  view  of  determining  what  must  be  changed  to  preclude  a  similar  occurrence  in 
the  future.  At  a  minimum,  we  will  be  providing  additional  training  to  personnel  to  ensure  that  they 
understand  that  personally  identifiable  information  must  at  all  times  be  treated  in  a  manner  that 
preserves  and  protects  the  confidentiality  of  the  data. 

We  deeply  regret  and  apologize  for  any  inconvenience  and  concern  this  theft  may  cause  you. 

Should  you  have  any  questions,  please  call _ . 

Sincerely, 

Signature  Block 

(Directorate  level  or  higher) 
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AP3.  APPENDIX  3 
DoD  BLANKET  ROUTINE  USES 
AP3.1.  ROUTINE  USE  -  LAW  ENFORCEMENT 

If  a  system  of  records  maintained  by  a  DoD  Component  to  carry  out  its  functions  indicates  a 
violation  or  potential  violation  of  law,  whether  civil,  criminal,  or  regulatory  in  nature,  and  whether 
arising  by  general  statute  or  by  regulation,  rule,  or  order  issued  pursuant  thereto,  the  relevant 
records  in  the  system  of  records  may  be  referred,  as  a  routine  use,  to  the  agency  concerned,  whether 
Federal,  State,  local,  or  foreign,  charged  with  the  responsibility  of  investigating  or  prosecuting  such 
violation  or  charged  with  enforcing  or  implementing  the  statute,  rule,  regulation,  or  order  issued 
pursuant  thereto. 

AP3.2.  ROUTINE  USE  -  DISCLOSURE  WHEN  REQUESTING  INFORMATION 

A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  as  a  routine  use  to 
a  Federal,  State,  or  local  agency  maintaining  civil,  criminal,  or  other  relevant  enforcement 
information  or  other  pertinent  information,  such  as  current  licenses,  if  necessary  to  obtain 
information  relevant  to  a  Component  decision  concerning  the  hiring  or  retention  of  an  employee, 
the  issuance  of  a  security  clearance,  the  letting  of  a  contract,  or  the  issuance  of  a  license,  grant,  or 
other  benefit. 

AP3.3.  ROUTINE  USE  -  DISCLOSURE  OF  REQUESTED  INFORMATION 

A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  to  a  Federal 
Agency,  in  response  to  its  request,  in  connection  with  the  hiring  or  retention  of  an  employee,  the 
issuance  of  a  security  clearance,  the  reporting  of  an  investigation  of  an  employee,  the  letting  of  a 
contract,  or  the  issuance  of  a  license,  grant,  or  other  benefit  by  the  requesting  agency,  to  the  extent 
that  the  information  is  relevant  and  necessary  to  the  requesting  agency’s  decision  on  the  matter. 

AP3.4.  ROUTINE  USE  -  CONGRESSIONAL  INQUIRIES 

Disclosure  from  a  system  of  records  maintained  by  a  Component  may  be  made  to  a  congressional 
office  from  the  record  of  an  individual  in  response  to  an  inquiry  from  the  congressional  office  made 
at  the  request  of  that  individual. 

AP3.5.  ROUTINE  USE  -  PRIVATE  RELIEF  LEGISLATION 

Relevant  information  contained  in  all  systems  of  records  of  the  Department  of  Defense  published 
on  or  before  August  22,  1975,  may  be  disclosed  to  the  Office  of  Management  and  Budget  in 
connection  with  the  review  of  private  relief  legislation  as  set  forth  in  OMB  Circular  A- 19  at  any 
stage  of  the  legislative  coordination  and  clearance  process  as  set  forth  in  that  circular. 


85 


APPENDIX  3 


DoD  5400.11-R,  May  14,  2007 


AP3.6.  ROUTINE  USE  -  DISCLOSURES  REQUIRED  BY  INTERNATIONAL  AGREEMENTS 

A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  to  foreign  law 
enforcement,  security,  investigatory,  or  administrative  authorities  to  comply  with  requirements 
imposed  by,  or  to  claim  rights  conferred  in,  international  agreements  and  arrangements,  including 
those  regulating  the  stationing  and  status  in  foreign  countries  of  Department  of  Defense  military 
and  civilian  personnel. 

AP3.7.  ROUTINE  USE  -  DISCLOSURE  TO  STATE  AND  LOCAL  TAXING  AUTHORITIES 

Any  information  normally  contained  in  Internal  Revenue  Service  (IRS)  Form  W-2  which  is 
maintained  in  a  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  to 
State  and  local  taxing  authorities  with  which  the  Secretary  of  the  Treasury  has  entered  into 
agreements  under  sections  5516,  5517,  5520  of  5  U.S.C.,  and  only  to  those  State  and  local  taxing 
authorities  for  which  an  employee  or  military  member  is  or  was  subject  to  tax  regardless  of  whether 
tax  is  or  was  withheld.  This  routine  use  is  in  accordance  with  Treasury  Fiscal  Requirements  Manual 
Bulletin  No.  76-07. 

AP3.8.  ROUTINE  USE  -  DISCLOSURE  TO  THE  OFFICE  OF  PERSONNEL  MANAGEMENT 

A  record  from  a  system  of  records  subject  to  the  Privacy  Act  and  maintained  by  a  Component  may 
be  disclosed  to  the  Office  of  Personnel  Management  (OPM)  concerning  information  on  pay  and 
leave,  benefits,  retirement  deductions,  and  any  other  information  necessary  for  the  OPM  to  carry 
out  its  legally  authorized  government-wide  personnel  management  functions  and  studies. 

AP3.9.  ROUTINE  USE  -  DISCLSOURE  TO  THE  DEPARTMENT  OF  JUSTICE  FOR 
LITIGATION 


A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  as  a  routine  use  to 
any  Component  of  the  Department  of  Justice  for  the  purpose  of  representing  the  Department  of 
Defense,  or  any  officer,  employee  or  member  of  the  Department  in  pending  or  potential  litigation  to 
which  the  record  is  pertinent. 

AP3.10.  ROUTINE  USE  -  DISCLOSURE  TO  MILITARY  BANKING  FACILITIES 

Information  as  to  current  military  addresses  and  assignments  may  be  provided  to  military  banking 
facilities  who  provide  banking  services  overseas  and  who  are  reimbursed  by  the  Government  for 
certain  checking  and  loan  losses.  For  personnel  separated,  discharged,  or  retired  from  the  Armed 
Forces,  information  as  to  last  known  residential  or  home  of  record  address  may  be  provided  to  the 
military  banking  facility  upon  certification  by  a  banking  facility  officer  that  the  facility  has  a 
returned  or  dishonored  check  negotiated  by  the  individual  or  the  individual  has  defaulted  on  a  loan 
and  that  if  restitution  is  not  made  by  the  individual,  the  U.S.  Government  will  be  liable  for  the 
losses  the  facility  may  incur. 
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AP3.11.  ROUTINE  USE  -  DISCLOSURE  OF  INFORMTION  TO  THE  GENERAL  SERVICES 
ADMINISTRATION 


A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  as  a  routine  use  to 
GSA  for  the  purpose  of  records  management  inspections  conducted  under  authority  of  44  U.S.C. 
2904  and  2906. 

AP3.12.  ROUTINE  USE  -  DISCLOSURE  OF  INFORMATION  TO  THE  NATIONAL 
ARCHIVES  AND  RECORDS  ADMINISTRATION 


A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  as  a  routine  use  to 
NARA  for  the  purpose  of  records  management  inspections  conducted  under  authority  of  44  U.S.C. 
2904  and  2906. 

AP3.13.  ROUTINE  USE  -  DISCLOSURE  TO  THE  MERIT  SYSTEMS  PROTECTION  BOARD 

A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  as  a  routine  use  to 
the  Merit  Systems  Protection  Board,  including  the  Office  of  the  Special  Counsel,  for  the  purpose  of 
litigation,  including  administrative  proceedings,  appeals,  special  studies  of  the  civil  service  and 
other  merit  systems,  review  of  OPM  or  Component  rules  and  regulations,  investigation  of  alleged 
or  possible  prohibited  personnel  practices,  including  administrative  proceedings  involving  any 
individual  subject  of  a  DoD  investigation,  and  such  other  functions,  promulgated  in  5  U.S.C.  1205 
and  1206  or  as  may  be  authorized  by  law. 

AP3.14.  ROUTINE  USE  -  COUNTERINTELLIGENCE  PURPOSES 

A  record  from  a  system  of  records  maintained  by  a  Component  may  be  disclosed  as  a  routine  use 
outside  the  Department  of  Defense  or  the  U.S.  Government  for  the  purpose  of  counterintelligence 
activities  authorized  by  U.S.  law  or  Executive  Order,  or  for  the  purpose  of  enforcing  laws  that 
protect  the  national  security  of  the  United  States. 
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AP4.  APPENDIX  4 

PROVISIONS  OF  THE  PRIVACY  ACT  FROM  WHICH  A  GENERAL  OR  A  SPECIFIC 

EXEMPTION  MAY  BE  CLAIMED 


Exemptions 


(i)(2) 

(k)  (1-7) 

Section  of  the  Privacy  Act 

No 

No 

(b)(1) 

Disclosures  within  the  Department  of  Defense. 

No 

No 

(2) 

Disclosures  to  the  public . 

No 

No 

(3) 

Disclosures  for  a  “Routine  Use.” 

No 

No 

(4) 

Disclosures  to  the  Bureau  of  Census. 

No 

No 

(5) 

Disclosures  for  statistical  research  and  reporting. 

No 

No 

(6) 

Disclosures  to  the  National  Archives. 

No 

No 

(7) 

Disclosures  for  law  enforcement  purposes. 

No 

No 

(8) 

Disclosures  under  emergency  circumstances. 

No 

No 

(9) 

Disclosures  to  the  Congress. 

No 

No 

(10) 

Disclosures  to  the  General  Accounting  Office. 

No 

No 

(11) 

Disclosures  pursuant  to  court  orders. 

No 

No 

(12) 

Disclosure  to  consumer  reporting  agencies. 

No 

No 

(c)(1) 

Making  disclosure  accountings. 

No 

No 

(2) 

Retaining  disclosure  accountings. 

Yes 

Yes 

(c)(3) 

Making  disclosure  accounting  available  to  the  individual. 

Yes 

No 

(c)(4) 

Infonning  prior  recipients  of  corrections. 

Yes 

Yes 

(d)(1) 

Individual  access  to  records. 

Yes 

Yes 

(2) 

Amending  records. 

Yes 

Yes 

(3) 

Review  of  the  Component’s  refusal  to  amend  a  record. 

Yes 

Yes 

(4) 

Disclosure  of  disputed  information. 

Yes 

Yes 

(5) 

Access  to  infonnation  compiled  in  anticipation  of  civil  action. 

Yes 

Yes 

(e)(1) 

Restrictions  on  collecting  information. 

Yes 

No 

(e)(2) 

Collecting  directly  from  the  individual. 

Yes 

No 

(3) 

Infonning  individuals  from  whom  information  is  requested. 

No 

No 

(e)(4)(A) 

Describing  the  name  and  location  of  the  system. 

No 

No 

(B) 

Describing  categories  of  individuals. 

No 

No 

(C) 

Describing  categories  of  records. 

No 

No 

(D) 

Describing  routine  uses. 

No 

No 

(E) 

Describing  records  management  policies  and  practices. 

No 

No 

(F) 

Identifying  responsible  officials. 
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Exemptions 


0X2} 

(k)  (1-7) 

Section  of  the  Privacy  Act 

Yes 

Yes 

(e)(4)(G) 

Procedures  for  determining  if  a  system  contains  a  record  on 
an  individual. 

Yes 

Yes 

(H) 

Procedures  for  gaining  access. 

Yes 

Yes 

(I) 

Describing  categories  of  infonnation  sources. 

Yes 

No 

(e)(5) 

Standards  of  accuracy. 

No 

No 

(e)(6) 

Validating  records  before  disclosure. 

No 

No 

(e)(7) 

Records  of  First  Amendment  activities. 

No 

No 

(e)(8) 

Notification  of  disclosure  under  compulsory  legal  process. 

No 

No 

(e)(9) 

Rules  of  conduct. 

No 

No 

(e)(10) 

Administrative,  technical,  and  physical  safeguards. 

No 

No 

(11) 

Notice  for  new  and  revised  routine  uses. 

Yes 

Yes 

(f)(1) 

Rules  for  detennining  if  an  individual  is  subject  of  a  record. 

Yes 

Yes 

(f)(2) 

Rules  for  handling  access  requests. 

Yes 

Yes 

(f)(3) 

Rules  for  granting  access. 

Yes 

Yes 

(f)(4) 

Rules  for  amending  records. 

Yes 

Yes 

(f)(5) 

Rules  regarding  fees. 

Yes 

No 

(g)(1) 

Basis  for  civil  action. 

Yes 

No 

(g)(2) 

Basis  for  judicial  review  and  remedies  for  refusal  to  amend. 

Yes 

No 

(g)(3) 

Basis  for  judicial  review  and  remedies  for  denial  of  access. 

Yes 

No 

(g)(4) 

Basis  for  judicial  review  and  remedies  for  other  failure  to 
comply. 

Yes 

No 

(g)(5) 

Jurisdiction  and  time  limits. 

Yes 

No 

(h) 

Rights  of  legal  guardians. 

No 

No 

(0(1) 

Criminal  penalties  for  unauthorized  disclosure. 

No 

No 

(2) 

Criminal  penalties  for  failure  to  publish. 

No 

No 

(3) 

Criminal  penalties  for  obtaining  records  under  false 
pretenses. 

No 

No 

O') 

Rulemaking  requirement. 

N/A 

N/A 

0)(i) 

General  exemption  for  the  Central  Intelligence  Agency. 

N/A 

N/A 

G)(2) 

General  exemption  for  criminal  law  enforcement  records. 

No 

No 

(k) 

Rulemaking  requirement. 

N/A 

N/A 

(k)(l) 

Exemption  for  classified  material. 

N/A 

N/A 

(k)(2) 

Exemption  for  law  enforcement  material. 

N/A 

N/A 

(k)(3) 

Exemption  for  records  pertaining  to  Presidential  protection. 

N/A 

N/A 

(k)(4) 

Exemption  for  statistical  records. 

N/A 

N/A 

(k)(5) 

Exemption  for  investigatory  material  compiled  for 
determining  suitability  for  employment  or  service. 

N/A 

N/A 

(k)(6) 

Exemption  for  testing  or  examination  material. 

Exemptions 


0X2} 

N/A 

(k)  (1-7) 
N/A 

(k)(7) 

Section  of  the  Privacv  Act 

Exemption  for  promotion  evaluation  materials  used  by  the 

Yes 

No 

0X1) 

Armed  Forces. 

Records  stored  in  GSA  records  centers. 
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Yes 

No 

(0(2) 

Records  archived  before  September  27,  1975. 

Yes 

No 

(0(3) 

Records  archived  on  or  after  September  27,  1975. 

Yes 

No 

(m) 

Applicability  to  Government  contractors. 

Yes 

No 

(n) 

Mailing  lists. 

N/A 

N/A 

(o) 

Matching  Agreements. 

N/A 

N/A 

(P) 

Verification  and  Opportunity  to  Contest  Findings. 

N/A 

N/A 

(q) 

Sanctions. 

No 

No 

(r) 

Reports  on  New  Systems  and  Matching  Programs. 

N/A 

N/A 

(s) 

Biennial  Report. 

N/A 

N/A 

(0 

Effect  of  other  laws. 

N/A 

N/A 

(u) 

Data  Integrity  Boards. 
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AP5.  APPENDIX  5 

SAMPLE  OF  NEW  OR  ALTERED  SYSTEM  OF  RECORDS  NOTICE 
IN  FEDERAL  REGISTER  FORMAT 


New  System  of  Records  Notice 

DEPARTMENT  OF  DEFENSE 

Office  of  the  Secretary 

Privacy  Act  of  1974;  System  of  Records 

AGENCY :  Office  of  the  Secretary,  DoD 

ACTION:  Notice  to  Add  a  System  of  Records 

SUMMARY:  The  Office  of  the  Secretary  of  Defense  proposes  to  add  a  system  of  records  to  its 
inventory  of  record  systems  subject  to  the  Privacy  Act  of  1974  (5  U.S.C.  552a),  as  amended. 

DATES:  The  changes  will  be  effective  on  (insert  date  thirty  days  after  publication  in  the  Federal 
Register)  unless  comments  are  received  that  would  result  in  a  contrary  determination. 

ADDRESSES:  Send  comments  to  OSD  Privacy  Act  Coordinator,  Records  Management  Section, 
Washington  Headquarters  Services,  1155  Defense  Pentagon,  Washington,  DC  20301-1155. 

FOR  FURTHER  INFORMATION  CONTACT:  Ms.  Mary  Smith  at  (703)  000-0000. 

SUPPLEMENTARY  INFORMATION:  The  Office  of  the  Secretary  of  Defense  notices  for 
systems  of  records  subject  to  the  Privacy  Act  of  1974  (5  U.S.C.  552a),  as  amended,  have  been 
published  in  the  Federal  Register  and  are  available  from  the  address  above. 

The  proposed  systems  reports,  as  required  by  5  U.S.C.  552a(r)  of  the  Privacy  Act  of  1974,  as 
amended,  were  submitted  on  January  20,  2006,  to  the  House  Committee  on  Government  Refonn, 
the  Senate  Committee  on  Homeland  Security  and  Governmental  Affairs,  and  the  Office  of 
Management  and  Budget  (OMB)  pursuant  to  paragraph  4c  of  Appendix  I  to  OMB  Circular  No.  A- 
130,  “Federal  Agency  Responsibilities  for  Maintaining  Records  About  Individuals, ’’dated  February 
8,  1996  (February  20,  1996,  61  FR  6427). 

Dated:  February  1,  2006. 


John  Miller 

Alternate  OSD  Federal  Register  Liaison  Officer,  Department  of  Defense. 


NSLRB  01 
System  name: 

The  National  Security  Labor  Relations  Board  (NSLRB). 
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System  location: 

National  Security  Labor  Relations  Board  (NSLRB),  1401  Wilson  Boulevard,  Arlington,  VA  22209- 
2325. 

Categories  of  individuals  covered  by  the  system: 

Current  and  former  civilian  Federal  Government  employees  who  have  filed  unfair  labor  practice 
charges,  negotiability  disputes,  exceptions  to  arbitration  awards,  and  impasses  with  the  National 
Security  Labor  Relations  Board  (NSLRB)  pursuant  to  the  National  Security  Personnel  System 
(NSPS). 

Categories  of  records  in  the  system: 

Documents  relating  to  the  proceedings  before  the  Board,  including  the  name  of  the  individual 
initiating  NSLRB  action,  statements  of  witnesses,  reports  of  interviews  and  hearings,  examiner’s 
findings  and  recommendations,  a  copy  of  the  original  decision,  and  related  correspondence  and 
exhibits. 

Authority  for  maintenance  of  the  system: 

The  National  Defense  Authorization  Act  for  FY  2004,  Pub  Law  108-136,  Section  1101;  5  U.S.C. 
9902(m),  Labor  Management  Relations  in  the  Department  of  Defense;  and  5  CFR  9901.907, 
National  Security  Labor  Relations  Board. 

Purpose(s): 

To  establish  a  system  of  records  that  will  document  adjudication  of  unfair  labor  practice  charges, 
negotiability  disputes,  exceptions  to  arbitration  awards,  and  impasses  filed  with  the  National 
Security  Labor  Relations  Board. 

Routine  uses  of  records  maintained  in  the  system,  including  categories  of  users  and  the  purposes  of 
such  uses: 

In  addition  to  those  disclosures  generally  permitted  under  5  U.S.C.  552a(b)  of  the  Privacy  Act, 
these  records  or  information  contained  therein  may  specifically  be  disclosed  outside  the  DoD  as  a 
routine  use  pursuant  to  5  U.S.C.  552a(b)(3)  as  follows: 

To  The  Federal  Labor  Relations  Authority  (FLRA)  or  the  Equal  Employment  Opportunity 
Commission,  when  requested,  for  perfonnance  of  functions  authorized  by  law. 

To  disclose,  in  response  to  a  request  for  discovery  or  for  appearance  of  a  witness,  infonnation  that 
is  relevant  to  the  subject  matter  involved  in  a  pending  judicial  or  administrative  proceeding. 

To  provide  information  to  officials  of  labor  organizations  recognized  under  5  U.S.C.  Chapter  71 
when  relevant  and  necessary  to  their  duties  of  exclusive  representation  concerning  personnel 
policies,  practices,  and  matters  affecting  work  conditions. 

The  DoD  “Blanket  Routine  Uses”  set  forth  at  the  beginning  of  OSD’s  compilation  of  systems  of 
records  notices  apply  to  this  system. 
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Policies  and  practices  for  storing,  retrieving,  accessing,  retaining,  and  disposing  of  records  in  the 
system: 

Storage: 

Records  are  maintained  on  electronic  storage  media  and  paper. 

Retrievability: 

Records  will  be  retrieved  in  the  system  by  the  following  identifiers:  assigned  case  number; 
individual’s  name;  labor  organizations  filing  the  unfair  labor  practice  charges;  negotiability 
disputes;  exceptions  to  arbitration  awards;  date,  month,  year  or  filing;  complaint  type;  and  the 
organizational  component  from  which  the  complaint  arises. 

Safeguards: 

Records  are  maintained  in  a  controlled  facility.  Physical  entry  is  restricted  by  the  use  of  locks, 
guards,  and  is  accessible  only  to  authorized  personnel.  Access  to  records  is  limited  to  person(s) 
responsible  for  servicing  the  record  in  perfonnance  of  their  official  duties  and  who  are  properly 
screened  and  cleared  for  need-to-know.  Access  to  computerized  data  is  restricted  by  passwords, 
which  are  changed  periodically. 


Retention  and  disposal: 

Records  are  disposed  of  5  years  after  final  resolution  of  case. 

System  manager(s)  and  address: 

Executive  Director,  National  Security  Personnel  System,  Program  Executive  Office,  1401  Wilson 
Boulevard,  Arlington,  VA  22209-2325. 

Notification  procedure: 

Individuals  seeking  to  determine  whether  this  system  of  records  contains  information  about 
themselves  should  address  written  inquiries  to  the  Executive  Director,  National  Security  Personnel 
System,  Program  Executive  Office,  1401  Wilson  Boulevard,  Arlington,  VA  22209-2325. 

Request  should  contain  name;  assigned  case  number;  approximate  case  date  (day,  month,  and 
year);  case  type;  the  names  of  the  individuals  and/or  labor  organizations  filed  the  unfair  labor 
practice  charges;  negotiability  disputes;  exceptions  to  arbitration  awards;  and  impasses. 

Record  access  procedures: 

Individuals  seeking  access  to  records  about  themselves  contained  in  this  system  of  records  should 
address  written  inquiries  to  the  Executive  Director,  National  Security  Personnel  System,  Program 
Executive  Office,  1401  Wilson  Boulevard,  Arlington,  VA  22209-2325. 

Request  should  contain  name;  assigned  case  number;  approximate  case  date  (day,  month,  and 
year);  case  type;  the  names  of  the  individuals  and/or  labor  organizations  filed  the  unfair  labor 
practice  charges;  negotiability  disputes;  exceptions  to  arbitration  awards;  and  impasses. 
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Contesting  record  procedures: 

The  OSD’s  rules  for  accessing  records,  for  contesting  contents  and  appealing  initial  agency 
detenninations  are  published  in  OSD  Administrative  Instruction  No.  8 1 ;  32  CFR  part  311;  or  may 
be  obtained  from  the  system  manager. 

Record  source  categories: 

Individual;  other  officials  or  employees;  and  departmental  and  other  records  containing  infonnation 
pertinent  to  the  NSLRB  action. 

Exemptions  claimed  for  the  system: 

None. 
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Altered  System  of  Record  Notice 

DEPARTMENT  OF  DEFENSE 

Defense  Logistics  Agency 

Privacy  Act  of  1974;  Systems  of  Records 

AGENCY :  Defense  Logistics  Agency 

ACTION:  Notice  to  Alter  a  System  of  Records 

SUMMARY :  The  Defense  Logistics  Agency  proposes  to  alter  a  system  of  records  notice  in  its 
inventory  of  record  systems  subject  to  the  Privacy  Act  of  1974  (5  U.S.C.  552a),  as  amended. 

The  alteration  adds  two  routine  uses,  revises  the  purpose  category,  and  makes  other  administrative 
changes  to  the  system  notice. 

DATES:  This  action  will  be  effective  without  further  notice  on  (insert  date  thirty  days  after 
publication  in  the  Federal  Register)  unless  comments  are  received  that  would  result  in  a  contrary 
determination. 

ADDRESSES:  Send  comments  to  the  Privacy  Act  Officer,  Headquarters,  Defense  Logistics 
Agency,  ATTN:  DSS-B,  8725  John  J.  Kingman  Road,  Suite  2533,  Fort  Belvoir,  VA  22060-6221. 

FOR  FURTHER  INFORMATION  CONTACT:  Ms.  Mary  Smith  at  (703)  000-0000. 

SUPPLEMENTARY  INFORMATION:  The  Defense  Logistics  Agency  notices  for  systems  of 
records  subject  to  the  Privacy  Act  of  1974  (5  U.S.C.  552a),  as  amended,  have  been  published  in  the 
Federal  Register  and  are  available  from  the  address  above. 

The  proposed  system  report,  as  required  by  5  U.S.C.  552a(r)  of  the  Privacy  Act  of  1974,  as 
amended,  was  submitted  on  January  29,  2004,  to  the  House  Committee  on  Government  Reform,  the 
Senate  Committee  on  Governmental  Affairs,  and  the  Office  of  Management  and  Budget  (OMB) 
pursuant  to  paragraph  4c  of  Appendix  I  to  OMB  Circular  No.  A- 130,  “Federal  Agency 
Responsibilities  for  Maintaining  Records  About  Individuals, ’’dated  February  8,  1996  (February  20, 
1996,  61  FR  6427). 

Dated:  February  2,  2004. 


John  Miller 

Alternate  OSD  Federal  Register  Liaison  Officer,  Department  of  Defense. 


S253.10  DLA-G 
System  name: 

Invention  Disclosure  (February  22,  1993,  58  FR  10854). 
Changes: 
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System  identifier: 

Replace  “S253.10  DLA-G”  with  “S  100.70.” 

Categories  of  individuals  covered  by  the  system: 

Delete  “to  the  DLA  General  Counsel”  at  the  end  of  the  sentence  and  replace  with  “to  DLA.” 

Categories  of  records  in  the  system: 

Delete  entry  and  replace  with  Inventor’s  name,  Social  Security  Number,  address,  and  telephone 
numbers;  descriptions  of  inventions;  designs  or  drawings,  as  appropriate;  evaluations  of 
patentability;  recommendations  for  employee  awards;  licensing  documents;  and  similar  records. 
Where  patent  protection  is  pursued  by  DLA,  the  file  may  also  contain  copies  of  applications, 
Letters  Patent,  and  related  materials. 

Authority  for  maintenance  of  the  system: 

Delete  entry  and  replace  with  5  U.S.C.  301,  Departmental  Regulations;  5  U.S.C.  4502,  General 
provisions;  10  U.S.C.  2320,  Rights  in  technical  data;  15  U.S.C.  3710b,  Rewards  for  scientific, 
engineering,  and  technical  personnel  of  federal  agencies;  15  U.S.C.  371  Id,  Employee  activities;  35 
U.S.C.  181-185,  Secrecy  of  Certain  Inventions  and  Filing  Applications  in  Foreign  Countries;  E.O. 
9397  (SSN);  and  E.O.  10096  (Inventions  Made  by  Government  Employees)  as  amended  by  E.O. 
10930. 

Purpose(s): 

Delete  entry  and  replace  with  “Data  is  maintained  for  making  detenninations  regarding  and 
recording  DLA  interest  in  the  acquisition  of  patents;  for  documenting  the  patent  process;  and  for 
documenting  any  rights  of  the  inventor.  The  records  may  also  used  in  conjunction  with  the 
employee  award  program,  where  appropriate.” 

Routine  uses  of  records  maintained  in  the  system,  including  categories  of  users  and  the  purpose  of 
such  uses: 

Add  two  new  paragraphs  “To  the  U.S.  Patent  and  Trademark  Office  for  use  in  processing 
applications  and  perfonning  related  functions  and  responsibilities  under  title  35  of  the  U.S.  Code. 

To  foreign  government  patent  offices  for  the  purpose  of  securing  foreign  patent  rights.” 
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Safeguards: 

Delete  entry  and  replace  with  “Access  is  limited  to  those  individuals  who  require  the  records  for  the 
performance  of  their  official  duties.  Paper  records  are  maintained  in  buildings  with  controlled  or 
monitored  access.  During  non-duty  hours,  records  are  secured  in  locked  or  guarded  buildings, 
locked  offices,  or  guarded  cabinets.  The  electronic  records  systems  employ  user  identification  and 
password  or  smart  card  technology  protocols.” 

Retention  and  disposal: 

Delete  entry  and  replace  with  “Records  maintained  by  Headquarters  and  field  Offices  of  Counsel 
are  destroyed  26  years  after  file  is  closed.  Records  maintained  by  field  level  Offices  of  Counsel 
where  patent  applications  are  not  prepared  are  destroyed  7  years  after  closure.” 

Record  source  categories: 

Delete  entry  and  replace  with  “Inventors,  reviewers,  evaluators,  officials  of  U.S.  and  foreign  patent 
offices,  and  other  persons  having  a  direct  interest  in  the  file.” 


S100.70 

System  name: 

Invention  Disclosure. 

System  location: 

Office  of  the  General  Counsel,  HQ  DLA-DG,  8725  John  J.  Kingman  Road,  Stop  2533,  Fort 
Belvoir,  VA  22060-6221,  and  the  offices  of  counsel  of  the  DLA  field  activities.  Official  mailing 
addresses  are  published  as  an  appendix  to  DLA’s  compilation  of  systems  of  records  notices. 

Categories  of  individuals  covered  by  the  system: 

Employees  and  military  personnel  assigned  to  DLA  who  have  submitted  invention  disclosures  to 
DLA. 

Categories  of  records  in  the  system: 

Inventor’s  name,  Social  Security  Number,  address,  and  telephone  numbers;  descriptions  of 
inventions;  designs  or  drawings,  as  appropriate;  evaluations  of  patentability;  recommendations  for 
employee  awards;  licensing  documents;  and  similar  records.  Where  patent  protection  is  pursued  by 
DLA,  the  file  may  also  contain  copies  of  applications,  Letters  Patent,  and  related  materials. 
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Authority  for  maintenance  of  the  system: 

5  U.S.C.  301,  Departmental  Regulations;  5  U.S.C.  4502,  General  provisions;  10  U.S.C.  2320, 
Rights  in  technical  data;  15  U.S.C.  3710b,  Rewards  for  scientific,  engineering,  and  technical 
personnel  of  federal  agencies;  15  U.S.C.  371  Id,  Employee  activities;  35  U.S.C.  181-185,  Secrecy 
of  Certain  Inventions  and  Filing  Applications  in  Foreign  Countries;  E.O.  9397  (SSN);  and  E.O. 
10096  (Inventions  Made  by  Government  Employees)  as  amended  by  E.O.  10930. 

Purpose(s): 

Data  is  maintained  for  making  determinations  regarding  and  recording  DLA  interest  in  the 
acquisition  of  patents,  for  documenting  the  patent  process,  and  for  documenting  any  rights  of  the 
inventor.  The  records  may  also  be  used  in  conjunction  with  the  employee  award  program,  where 
appropriate. 

Routine  uses  of  records  maintained  in  the  system,  including  categories  of  users  and  the  purposes  of 
such  uses: 

In  addition  to  those  disclosures  generally  permitted  under  5  U.S.C.  552a(b)  of  the  Privacy  Act, 
these  records  or  information  contained  therein  may  specifically  be  disclosed  outside  the  DoD  as  a 
routine  use  pursuant  to  5  U.S.C.  552a(b)(3)  as  follows: 

To  the  U.S.  Patent  and  Trademark  Office  for  use  in  processing  applications  and  performing  related 
functions  and  responsibilities  under  Title  35  of  the  U.  S.  Code. 

To  foreign  government  patent  offices  for  the  purpose  of  securing  foreign  patent  rights. 

Infonnation  may  be  referred  to  other  government  agencies  or  to  non-government  agencies  or  to 
non-government  personnel  (including  contractors  or  prospective  contractors)  having  an  identified 
interest  in  a  particular  invention  and  the  Government’s  rights  therein. 

The  DoD  “Blanket  Routine  Uses”  set  forth  at  the  beginning  of  DLA’ s  compilation  of  systems  of 
records  notices  apply  to  this  system. 

Policies  and  practices  for  storing,  retrieving,  accessing,  retaining,  and  disposing  of  records  in  the 
system: 

Storage: 

Records  are  maintained  in  paper  and  computerized  form. 

Retrievability: 

Filed  by  names  of  inventors. 

Safeguards: 

Access  is  limited  to  those  individuals  who  require  the  records  for  the  performance  of  their  official 
duties.  Paper  records  are  maintained  in  buildings  with  controlled  or  monitored  access.  During 
non-duty  hours,  records  are  secured  in  locked  or  guarded  buildings,  locked  offices,  or  guarded 
cabinets.  The  electronic  records  systems  employ  user  identification  and  password  or  smart  card 
technology  protocols. 
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Retention  and  disposal: 

Records  maintain  by  the  HQ  and  field  Offices  of  Counsel  are  destroyed  26  years  after  file  is  closed. 
Records  maintained  by  field  level  Offices  of  Counsel  where  patent  applications  are  not  prepared  are 
destroyed  7  years  after  closure. 

System  manager(s)  and  address: 

Office  of  the  General  Counsel,  Headquarters,  Defense  Logistics  Agency,  ATTN:  DG,  8725  John  J. 
Kingman  Road,  Stop  2533,  Fort  Belvoir,  VA  22060-6221. 

Notification  procedure: 

Individuals  seeking  to  determine  whether  information  about  themselves  is  contained  in  this  system 
should  address  written  inquiries  to  the  Privacy  Officer,  Headquarters,  Defense  Logistics  Agency, 
ATTN:  DSS-B,  8725  John  J.  Kingman  Road,  Stop  6220,  Fort  Belvoir,  VA  22060-6221,  or  the 
Privacy  Officers  at  DLA  field  activities.  Official  mailing  addresses  are  published  as  an  appendix  to 
DLA’s  compilation  of  systems  of  records  notices. 

Record  access  procedures: 

Individuals  seeking  access  to  information  about  themselves  contained  in  this  system  should  address 
written  inquiries  to  the  Privacy  Officer,  Headquarters,  Defense  Logistics  Agency,  ATTN:  DSS-B, 
8725  John  J.  Kingman  Road,  Stop  6220,  Fort  Belvoir,  VA  22060-6221,  or  the  Privacy  Officers  at 
the  DLA  field  activities.  Official  mailing  addresses  are  published  as  an  appendix  to  DLA’s 
compilation  of  systems  of  records  notices. 

Individuals  should  provide  information  that  contains  full  name,  current  address  and  telephone 
numbers  of  requester. 

For  personal  visits,  each  individual  shall  provide  acceptable  identification,  e.g.,  driver’s  license  or 
identification  card. 

Contesting  record  procedures: 

The  DLA  rules  for  accessing  records,  contesting  contents,  and  appealing  initial  agency 
detenninations  are  contained  in  32  CFR  part  323,  or  may  be  obtained  from  the  Privacy  Act  Officer, 
Headquarters,  Defense  Logistics  Agency,  ATTN:  DSS-B,  8725  John  J.  Kingman  Road,  Stop  6220, 
Fort  Belvoir,  VA  22060-6221. 

Record  source  categories: 

Inventors,  reviewers,  evaluators,  officials  ofU.S.  and  foreign  patent  offices,  and  other  persons 
having  a  direct  interest  in  the  file. 

Exemptions  claimed  for  the  system: 

None. 


99 


APPENDIX  5 


DoD  5400.1 1-R,  May  14,  2007 


AP6.  APPENDIX  6 

FORMAT  FOR  NEW  OR  ALTERED  SYSTEM  REPORT 


The  report  on  a  new  or  altered  system  shall  consist  of  a  transmittal  letter,  a  narrative  statement,  and 
include  supporting  documentation. 

A.  TRANSMITTAL  LETTER.  The  transmittal  letter  shall  be  prepared  by  the  Defense  Privacy 
Office  and  shall  contain  assurances  that  the  new  or  altered  system  does  not  duplicate  any  existing 
Component  systems,  DoD-wide  systems  or  government-wide  systems.  The  narrative  statement, 
and  the  system  notice,  shall  be  attached  thereto. 

B.  NARRATIVE  STATEMENT.  The  statement  shall  include  information  on  the  following: 

1 .  System  Identifier  and  name; 

2.  Responsible  official; 

3.  Purpose  of  establishing  the  system  [for  a  new  system  only)  or  Nature  of  the  changes 
proposed  for  the  system  [for  altered  system  only]; 

4.  Authority  for  maintenance  of  the  System; 

5.  Probable  or  potential  effects  on  the  privacy  of  individuals; 

6.  Is  the  system,  in  whole  or  part,  being  maintained  by  a  contractor; 

7.  Steps  taken  to  minimize  risk  of  unauthorized  access; 

8.  Routine  use  compatibility; 

9.  OMB  information  collection  requirements;  and 

10.  Supporting  documentation. 

Attachments  -  2 

AP6.A1.  Format  for  Narrative  Statement 
AP6.A2.  Sample  Narrative  Statement 
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AP6.A1.  APPENDIX  6,  ATTACHMENT  1 

FORMAT  FOR  NARRATIVE  STATEMENT 

DEPARTMENT  OF  DEFENSE 
[Component  Name] 

Narrative  Statement  on  a  [New/Altered]  system  of  records 
Under  the  Privacy  Act  of  1974 

1 .  System  Identifier  and  Name.  This  caption  sets  forth  the  identification  and  name  of  the  system 
(see  paragraphs  C6.3.2.  and  C6.3.3.  of  Chapter  6). 

2.  Responsible  Official.  The  name,  title,  address,  and  telephone  number  of  the  official  responsible 
for  the  report  and  to  whom  inquiries  and  comments  about  the  report  may  be  directed  by  Congress, 
the  Office  of  Management  and  Budget,  or  the  Defense  Privacy  Office. 

3.  Purpose  of  establishing  the  system  or  nature  of  the  changes  proposed  for  the  system:  Describe 
the  purpose  of  the  new  system  or  how  an  existing  system  is  being  changed. 

4.  Authority  for  maintenance  of  the  system.  See  paragraph  C6. 3. 7.  of  Chapter  6. 

5.  Probable  or  potential  effects  on  the  privacy  of  individuals.  What  effect,  if  any,  will  the  new  or 
altered  system  impact  the  personal  privacy  of  the  affected  individuals. 

6.  Is  the  system,  in  whole  or  in  part,  being  maintained  by  a  contractor.  If  yes,  Components  shall 
ensure  that  the  contract  has  incorporated  the  Federal  Acquisition  privacy  clause  (Reference  (k)). 

7.  Steps  taken  to  minimize  risk  of  unauthorized  access.  Describe  actions  taken  to  reduce  the 
vulnerability  of  the  system  to  potential  threats.  See  Appendix  1  to  this  regulation. 

8.  Routine  use  compatibility.  Provide  assurances  that  any  records  contained  in  the  system  that  are 
disclosed  outside  the  DoD  shall  be  for  a  use  that  is  compatible  with  the  purpose  for  which  the 
record  was  collected.  Advise  whether  or  not  the  blanket  routine  uses  apply  to  this  system. 

9.  OMB  collection  requirements.  If  information  is  to  be  collected  from  members  of  the  public,  the 
requirements  of  Reference  (ag)  apply  and  OMB  must  be  advised. 

10.  Supporting  documentation.  The  following  are  typical  enclosures  that  may  be  required: 

a.  An  advance  copy  of  the  system  notice  for  a  new  or  altered  system  that  is  proposed  for 
publication. 

b.  An  advance  copy  of  a  proposed  exemption  rule  if  the  new  or  altered  system  is  to  be 
exempted  in  accordance  with  Chapter  5. 
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c.  Any  other  supporting  documentation  that  may  be  pertinent  or  helpful  in  understanding  the 
need  for  the  system  or  clarifying  its  intended  use. 
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AP6.A2.  APPENDIX  6,  ATTACHMENT  2 

SAMPLE  NARRATIVE  STATEMENT 

DEPARTMENT  OF  DEFENSE 
Office  of  the  Secretary 

Narrative  Statement  on  a  New  System  of  Records 
Under  the  Privacy  Act  of  1974 

1.  System  identifier  and  name:  NSLRB  01,  entitled  “The  National  Security  Labor  Relations  Board 
(NSLRB).” 

2.  Responsible  official:  Mr.  John  Miller,  National  Security  Labor  Relations  Board  (NSLRB),  0000 
Smith  Boulevard,  Arlington,  VA  22209,  Telephone  (703)  000-0000. 

3.  Purpose  of  establishing  the  system:  The  Office  of  the  Secretary  of  Defense  is  proposing  to 
establish  a  system  of  records  that  will  document  adjudication  of  unfair  labor  practice  charges, 
negotiability  disputes,  exceptions  to  arbitration  awards,  and  impasses  filed  with  the  National 
Security  Labor  Relations  Board. 

4.  Authority  for  the  maintenance  of  the  system:  The  National  Defense  Authorization  Act  for  FY 
2004,  Pub  Law  108-136,  Section  1101;  5  U.S.C.  9902(m),  Labor  Management  Relations  in  the 
Department  of  Defense;  and  5  CFR  9901.907,  National  Security  Labor  Relations  Board. 

5.  Probable  or  potential  effects  on  the  privacy  of  individuals: 

None 

6.  Is  the  system,  in  whole  or  in  part,  being  maintained  by  a  contractor?  No 

7.  Steps  taken  to  minimize  risk  of  unauthorized  access:  Records  are  maintained  in  a  controlled 
facility.  Physical  entry  is  restricted  by  the  use  of  locks,  guards,  and  is  accessible  only  to  authorized 
personnel.  Access  to  records  is  limited  to  person(s)  responsible  for  servicing  the  record  in 
performance  of  their  official  duties  and  who  are  properly  screened  and  cleared  for  need-to-know. 
Access  to  computerized  data  is  restricted  by  passwords,  which  are  changed  periodically. 

8.  Routine  use  compatibility:  Any  release  of  information  contained  in  this  system  of  records 
outside  of  the  DoD  will  be  compatible  with  purposes  for  which  the  infonnation  is  collected  and 
maintained.  The  DoD  “Blanket  Routine  Uses”  apply  to  this  system  of  records. 

9.  OMB  information  collection  requirements:  None. 

10.  Supporting  documentation:  None. 
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AP7.  APPENDIX  7 

SAMPLE  AMENDMENTS  OR  DELETIONS  TO  SYSTEMS  NOTICES 
IN  FEDERAL  REGISTER  FORMAT 


Amendment  of  system  notice 

DEPARTMENT  OF  DEFENSE 
Department  of  the  Army 
Privacy  Act  of  1974;  System  of  Records 
AGENCY:  Department  of  the  Army,  DoD. 

ACTION:  Notice  to  Amend  a  System  of  Records. 

SUMMARY :  The  Department  of  the  Army  is  proposing  to  amend  a  system  of  records  notice  in  its 
existing  inventory  of  records  systems  subject  to  the  Privacy  Act  of  1974,  (5  U.S.C.  552a),  as 
amended. 


DATES:  This  proposed  action  will  be  effective  without  further  notice  on  (insert  date  thirty  days 
after  publication  in  Federal  Register)  unless  comments  are  received  which  result  in  a  contrary 
detennination. 


ADDRESSES:  Department  of  the  Army,  Freedom  of  Information  /  Privacy  Division,  U.S.  Army 
Records  Management  and  Declassification  Agency,  ATTN:  AHRC-PDD-FPZ,  7701  Telegraph 
Road,  Casey  Building,  Suite  144,  Alexandria,  VA  22325-3905. 

FOR  FURTHER  INFORMATION  CONTACT:  Ms.  Mary  Smith  at  (703)  000-0000. 

SUPPLEMENTARY  INFORMATION:  The  Department  of  the  Army  systems  of  records  notices 
subject  to  the  Privacy  Act  of  1974,  (5  U.S.C.  552a),  as  amended,  have  been  published  in  the 
Federal  Register  and  are  available  from  the  address  above. 

The  specific  changes  to  the  records  systems  being  amended  are  set  forth  below  followed  by  the 
notices,  as  amended,  published  in  their  entirety.  The  proposed  amendments  are  not  within  the 
purview  of  subsection  (r)  of  the  Privacy  Act  of  1974,  (5  U.S.C.  552a),  as  amended,  which  requires 
the  submission  of  a  new  or  altered  system  report. 

Dated:  February  3,  2006. 


John  Miller 

Alternate  OSD  Federal  Register  Liaison  Officer,  Department  of  Defense. 


A0055  USEUCOM 
System  name: 
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Europe  Command  Travel  Clearance  Records  (August  23,  2004,  69  FR  51817). 
Changes: 

System  name: 

Delete  system  identifier  and  replace  with:  “A0055  USEUCOM  DoD”. 


A0055  USEUCOM  DoD 
System  name: 

Europe  Command  Travel  Clearance  Records. 

System  location: 

Headquarters,  United  States  European  Command,  Computer  Network  Operations  Center,  Building 
2324,  P.O.  Box  1000,  APO  AE  09131-1000. 

Categories  of  individuals  covered  by  the  system: 

Military,  DoD  civilians,  and  non-DoD  personnel  traveling  under  DoD  sponsorship  (e.g., 
contractors,  foreign  nationals  and  dependents)  and  includes  temporary  travelers  within  the  United 
States  European  Command’s  (USEUCOM)  area  of  responsibility  as  define  by  the  DoD  Foreign 
Clearance  Guide  Program. 

Categories  of  records  in  the  system: 

Travel  requests,  which  contain  the  individual’s  name;  rank/pay  grade;  Social  Security  Number; 
military  branch  or  department;  passport  number;  Visa  Number;  office  address  and  telephone 
number,  official  and  personal  email  address,  detailed  information  on  sites  to  be  visited,  visitation 
dates  and  purpose  of  visit. 

Authority  for  the  maintenance  of  the  system: 

10  U.S.C.  3013,  Secretary  of  the  Army;  10  U.S.C.  5013,  Secretary  of  the  Navy;  10  U.S.C.  8013, 
Secretary  of  the  Air  Force;  DoD  4500. 54-G,  Department  of  Defense  Foreign  Clearance  Guide; 
Public  Law  99-399,  Omnibus  Diplomatic  Security  and  Antiterrorism  Act  of  1986;  22  U.S.C.  4801, 
4802,  and  4805,  Foreign  Relations  and  Intercourse;  E. 0.12333,  United  States  Intelligence 
Activities;  Army  Regulation  55-46,  Travel  Overseas;  and  E.O.  9397  (SSN). 

Purpose  (s): 

To  provide  the  DoD  with  an  automated  system  to  clear  and  audit  travel  within  the  United  States 
European  Command’s  area  of  responsibility  and  to  ensure  compliance  with  the  specific  clearance 
requirements  outline  in  the  DoD  Foreign  Clearance  Guide;  to  provide  individual  travelers  with 
intelligence  and  travel  warnings;  and  to  provide  the  Defense  Attache  and  other  DoD  authorized 
officials  with  infonnation  necessary  to  verify  official  travel  by  DoD  personnel. 

Routine  uses  of  records  maintained  in  the  system,  including  categories  of  users  and  the  purposes  of 
such  uses: 


105 


APPENDIX  7 


DoD  5400.1 1-R,  May  14,  2007 


In  addition  to  those  disclosures  generally  permitted  under  5  U.S.C.  552a(b)  of  the  Privacy  Act, 
these  records  or  information  contained  therein  may  specifically  be  disclosed  outside  the  DoD  as  a 
routine  use  pursuant  to  5  U.S.C.  552a(b)(3)  as  follows: 

To  the  Department  of  State  Regional  Security  Officer,  U.S.  Embassy  officials,  and  foreign  police 
for  the  purpose  of  coordinating  security  support  for  DoD  travelers. 

The  DoD  “Blanket  Routine  Uses”  set  forth  at  the  beginning  of  the  Army’s  compilation  of  systems 
of  records  notices  also  apply  to  this  system 

Policies  and  practices  for  storing,  retiring,  accessing,  retaining,  and  disposing  of  records. 

Storage: 

Electronic  storage  media. 

Retrievability: 

Retrieved  by  individual’s  surname,  Social  Security  Number  and/or  passport  number. 

Safeguards: 

Electronic  records  are  located  in  the  United  States  European  Command’s  Theater  Requirements 
Automated  Clearance  System  (TRACS)  computer  database  with  built  in  safeguards.  Computerized 
records  are  maintained  in  controlled  areas  accessible  only  to  authorized  personnel  with  an  official 
need  to  know  access.  In  addition,  automated  files  are  password  protected  and  in  compliance  with 
the  applicable  laws  and  regulations.  Another  built  in  safeguard  of  the  system  is  records  are  access 
to  the  data  through  secure  network. 

Retention  and  disposal: 

Records  are  destroyed  3  months  after  travel  is  completed. 

System  manager(s)  and  address: 

Special  Assistant  for  Security  Matters,  Headquarters,  United  States  European  Command,  Unit 
30400,  P.O.  Box  1000,  APO  AE  09131-1000. 

Notification  procedures: 

Individuals  seeking  to  determine  whether  information  about  themselves  is  contained  in  this  system 
of  records  should  address  written  inquiries  to  the  Special  Assistant  for  Security  Matters, 
Headquarters,  United  States  European  Command,  Unit  30400,  P.O.  Box  1000,  APO  AE  09131- 
1000. 

Requests  should  contain  individual’s  full  name,  Social  Security  Number,  and/or  passport  number. 
Record  access  procedures: 

Individuals  seeking  to  access  information  about  themselves  that  is  contained  in  this  system  of 
records  should  address  written  inquiries  to  the  Special  Assistant  for  Security  Matters,  Headquarters, 
United  States  European  Command,  Unit  30400,  P.O.  Box  1000,  APO  AE  09131-1000. 
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Requests  should  contain  individual’s  full  name,  Social  Security  Number,  and/or  passport  number. 
Contesting  record  procedures: 

The  Anny’s  rules  for  accessing  records  and  for  contesting  contents  and  appealing  initial  agency 
detenninations  are  contained  in  Army  Regulation  340-21;  32  CFRpart  505;  or  may  be  obtained 
from  the  system  manager. 

Record  source  categories: 

From  individuals. 

Exemptions  claimed  for  the  system: 

None. 

Deletion  of  system  notice 

DEPARTMENT  OF  DEFENSE 
Office  of  the  Secretary 
Privacy  Act  of  1974;  System  of  Records 
AGENCY :  Office  of  the  Secretary,  DoD. 

ACTION:  Notice  to  Delete  Systems  of  Records. 

SUMMARY:  The  Office  of  the  Secretary  of  Defense  is  deleting  a  system  of  records  notice  from  its 
existing  inventory  of  records  systems  subject  to  the  Privacy  Act  of  1974,  (5  U.S.C.  552a),  as 
amended. 

DATES:  This  proposed  action  will  be  effective  without  further  notice  on  (insert  date  thirty  days 
after  publication  in  Federal  Register)  unless  comments  are  received  which  result  in  a  contrary 
determination. 

ADDRESSES:  OSD  Privacy  Act  Coordinator,  Records  Management  Section,  Washington 
Headquarters  Services,  1155  Defense  Pentagon,  Washington,  DC  20301-1155. 

FOR  FURTHER  INFORMATION  CONTACT:  Ms.  Mary  Smith  at  (703)  000-0000. 

SUPPLEMENTARY  INFORMATION:  The  Office  of  the  Secretary  of  Defense  systems  of  records 
notices  subject  to  the  Privacy  Act  of  1974,  (5  U.S.C.  552a),  as  amended,  have  been  published  in  the 
Federal  Register  and  are  available  from  the  address  above. 

The  specific  changes  to  the  records  system  being  amended  are  set  forth  below  followed  by  the 
notice,  as  amended,  published  in  its  entirety.  The  proposed  amendments  are  not  within  the  purview 
of  subsection  (r)  of  the  Privacy  Act  of  1974,  (5  U.S.C.  552a),  as  amended,  which  requires  the 
submission  of  a  new  or  altered  system  report. 

Dated:  April  2,  2006. 


107 


APPENDIX  7 


DoD  5400.11-R,  May  14,  2007 


John  Miller 

OSD  Federal  Register  Liaison  Officer,  Department  of  Defense. 


DODDS  27 
System  name: 

DoD  Domestic  and  Elementary  School  Employee  File  (May  9,  2003,  68  FR  24935). 

Reason:  The  records  contained  in  this  system  of  records  are  covered  by  OPM/GOVT-1  (General 
Personnel  Records),  a  government  wide  system  notice. 
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AP8.  APPENDIX  8 
LITIGATION  STATUS  SHEET 


1.  Case  Number1 

2.  Requester 

3.  Document  Title  or  Descrip tion" 

4.  Litigation 

a.  Date  Complaint  Filed 

b.  Court 

c.  Case  File  Number1 

5.  Defendants  (DoD  Component  and  individual) 

6.  Remarks  (brief  explanation  of  what  the  case  is  about) 

7.  Court  Action 

a.  Court’s  Finding 

b.  Disciplinary  Action  (as  appropriate) 

8.  Appeal  (as  appropriate) 

a.  Date  Complaint  Filed 

b.  Court 

c.  Case  File  Number 

d.  Court’s  Finding 

e.  Disciplinary  Action  (as  appropriate) 

Footnotes: 

1 .  Number  used  by  the  Component  for  Reference  purposes. 
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2.  Indicate  the  nature  of  the  case,  such  as,  “Denial  of  access,”  “Refusal  to  amend,”  “Incorrect 
records,”  or  other  violations  of  the  Act  (specify). 
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